change cookie to not expire instead of client-controlled expiry (duh)

use bucket duration as part of secret generation xxh32 -> xxh64
2025-05-09 02:05:37 +00:00 · 2021-11-24 01:09:11 +11:00
parent f7f6ecd276
commit 0c0fa22d6f
2 changed files with 5 additions and 2 deletions
--- a/src/libs/utils.lua
+++ b/src/libs/utils.lua
@ -15,7 +15,10 @@ function _M.resolve_fqdn(fqdn)
    return result:gsub("\n", "")
 end

+local secret_bucket_duration = 43200 -- 60 * 60 * 12 -- 12 hours
 function _M.generate_secret(context, salt, is_applet)
+	local start_sec = core.now()['sec']
+	local bucket = start_sec - (start_sec % secret_bucket_duration)
    local ip = context.sf:src()
 	local user_agent
 	if is_applet == true then
@ -24,7 +27,7 @@ function _M.generate_secret(context, salt, is_applet)
 	else
 		user_agent = context.sf:req_hdr('user-agent')
 	end
-    return context.sc:xxh32(salt .. ip .. user_agent)
+    return context.sc:xxh64(salt .. bucket .. ip .. user_agent)
 end

 return _M
--- a/src/scripts/hcaptcha.lua
+++ b/src/scripts/hcaptcha.lua
@ -78,7 +78,7 @@ function _M.view(applet)
                local floating_hash = utils.generate_secret(applet, cookie_secret, true)
                applet:add_header(
                    "set-cookie",
-                    string.format("z_ddos_captcha=%s; Max-Age=14400; Path=/", floating_hash)
+                    string.format("z_ddos_captcha=%s; expires=Thu, 31-Dec-37 23:55:55 GMT; Path=/", floating_hash)
                )
 --            else
 --                core.Debug("HCAPTCHA FAILED: " .. json.encode(api_response))