From f06cc25a990207431250197abadda101b38b8198 Mon Sep 17 00:00:00 2001
From: Ozzieisaacs <ozzie.fernandez.isaacs@googlemail.com>
Date: Mon, 21 Sep 2020 18:34:39 +0200
Subject: [PATCH] Fix for immediate logout with next="/logout" Fix tolino per
 default with deactivated Strict-Transport-Security

---
 cps/web.py | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/cps/web.py b/cps/web.py
index 47104e45..341d941b 100644
--- a/cps/web.py
+++ b/cps/web.py
@@ -132,7 +132,8 @@ def add_security_headers(resp):
     resp.headers['X-Content-Type-Options'] = 'nosniff'
     resp.headers['X-Frame-Options'] = 'SAMEORIGIN'
     resp.headers['X-XSS-Protection'] = '1; mode=block'
-    # resp.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
+    if "tolino" not in request.headers.get('User-Agent'):
+        resp.headers['Strict-Transport-Security'] = 'max-age=31536000; includeSubDomains'
     log.debug(request.headers)
     return resp
 
@@ -1439,6 +1440,8 @@ def login():
                     flash(_(u"Wrong Username or Password"), category="error")
 
     next_url = request.args.get('next', default=url_for("web.index"), type=str)
+    if url_for("web.logout") == next_url:
+        next_url = url_for("web.index")
     return render_title_template('login.html',
                                  title=_(u"login"),
                                  next_url=next_url,