luci-base: use different cookie names for HTTP and HTTPS (e1932592) · Commits · openwrt / luci · GitLab

Commit e1932592 authored Jul 08, 2022 by

Jo-Philipp Wich

luci-base: use different cookie names for HTTP and HTTPS

Since HTTP cookies may not overwrite HTTPS ("secure") ones, users are
frequently unable to log into LuCI when a stale, "secure" `sysauth` cookie
is still present in the browser as it commonly happens after e.g. a
sysupgrade operation or when frequently jumping between HTTP and HTTPS
access.

Rework the dispatcher to set either a `sysauth_http` or `sysauth_https`
cookie, depending on the HTTPS state of the server connection and accept
both cookie names when verifying the session ID.

This allows users to log into a HTTP-only LuCI instance while a stale,
"secure" HTTPS cookie is still present.

Requires commit 2b0539ef

 ("lucihttp: update to latest Git HEAD") to
function properly.

Fixes: #5843
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

parent 2b0539ef

Hide whitespace changes

Inline Side-by-side

Javier Marcet @javier
mentioned in commit 2a9c3a31
· May 05, 2023

mentioned in commit 2a9c3a31

mentioned in commit 2a9c3a3173e0cec686fb8d9fafb8c063f80958e4

Toggle commit list

Please register or to comment