From: Paul Hänsch <paul@plutz.net>
Date: Wed, 4 Nov 2020 12:21:18 +0000 (+0100)
Subject: hold session key in POST data
X-Git-Url: http://git.plutz.net/?p=httpchat;a=commitdiff_plain;h=8ab57724f6c6d4d14040a393f51a108c6aba9c60

hold session key in POST data
---

diff --git a/channel.sh b/channel.sh
index 83b38d9..b930620 100755
--- a/channel.sh
+++ b/channel.sh
@@ -40,10 +40,10 @@ else
   { printf '
     [form #channel method="POST"
       [submit "action" "submit" style="display: none;"]
-      [input type=hidden name=channelkey value="%s"][input type=hidden name=timenonce value="%s"]
+      [hidden "session_key" "%s"][hidden "channelkey" "%s"][hidden "timenonce" "%s"]
       [a .settings href="?settings#nick" Settings][input autocomplete="off" name="message" autofocus=true][submit "action" "submit" Send!]
     ]
-  ' "$channelkey" "$_DATE"
+  ' "$SESSION_KEY" "$channelkey" "$_DATE"
   SHESCAPE='s;[]&<>#."[];\\&;g;'
 
   while sleep 10; do printf '\n'; done &
diff --git a/index.cgi b/index.cgi
index 194ac98..f44d288 100755
--- a/index.cgi
+++ b/index.cgi
@@ -33,11 +33,12 @@ yield_page(){
 settings_menu(){
   printf '
     [form #settings method="POST" action="?"
+      [hidden "session_key" "%s"]
       [h1 Settings][a .settings href="?" Close]'
   printf '
       [a .section href="#nick" Nickname]
       [div #nick [input name="nickname" value="%s"][submit "action" "nick" Set Cookie]]
-  ' "$(HTML "${nickname#\?}")"
+  ' "$SESSION_KEY" "$(HTML "${nickname#\?}")"
   printf '
       [a .section href="#register" Register Nickname]
       [div #register