Difuse/luci
2
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity
luci/modules/luci-base/root
History
Jo-Philipp Wich e1932592c3 luci-base: use different cookie names for HTTP and HTTPS 
Since HTTP cookies may not overwrite HTTPS ("secure") ones, users are
frequently unable to log into LuCI when a stale, "secure" `sysauth` cookie
is still present in the browser as it commonly happens after e.g. a
sysupgrade operation or when frequently jumping between HTTP and HTTPS
access.

Rework the dispatcher to set either a `sysauth_http` or `sysauth_https`
cookie, depending on the HTTPS state of the server connection and accept
both cookie names when verifying the session ID.

This allows users to log into a HTTP-only LuCI instance while a stale,
"secure" HTTPS cookie is still present.

Requires commit 2b0539ef9d ("lucihttp: update to latest Git HEAD") to
function properly.

Fixes: #5843
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
2022-07-08 15:38:53 +02:00
..
etc luci-base: ucitrack: fix broken affects logic 2022-03-30 14:12:38 +02:00
sbin Rework LuCI build system 2015-01-08 16:26:20 +01:00
usr luci-base: use different cookie names for HTTP and HTTPS 2022-07-08 15:38:53 +02:00
www luci-base: apply Browser/OS dark mode preference to index redirect page 2021-11-16 13:06:03 +01:00