diff options
| author | Jo-Philipp Wich <jo@mein.io> | 2022-07-08 15:38:53 +0200 |
|---|---|---|
| committer | Jo-Philipp Wich <jo@mein.io> | 2022-07-08 15:38:53 +0200 |
| commit | e1932592c3e0804eec5d85fee989ceeed1e1050a (patch) | |
| tree | 469f729bd9b797a9b5306d2f591ee4e5e71254fb /modules/luci-base/luasrc/controller/admin/index.lua | |
| parent | 2b0539ef9d1849b42fae206f0647bc647323c75d (diff) | |
luci-base: use different cookie names for HTTP and HTTPS
Since HTTP cookies may not overwrite HTTPS ("secure") ones, users are
frequently unable to log into LuCI when a stale, "secure" `sysauth` cookie
is still present in the browser as it commonly happens after e.g. a
sysupgrade operation or when frequently jumping between HTTP and HTTPS
access.
Rework the dispatcher to set either a `sysauth_http` or `sysauth_https`
cookie, depending on the HTTPS state of the server connection and accept
both cookie names when verifying the session ID.
This allows users to log into a HTTP-only LuCI instance while a stale,
"secure" HTTPS cookie is still present.
Requires commit 2b0539ef9d ("lucihttp: update to latest Git HEAD") to
function properly.
Fixes: #5843
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
Diffstat (limited to 'modules/luci-base/luasrc/controller/admin/index.lua')
| -rw-r--r-- | modules/luci-base/luasrc/controller/admin/index.lua | 13 |
1 files changed, 8 insertions, 5 deletions
diff --git a/modules/luci-base/luasrc/controller/admin/index.lua b/modules/luci-base/luasrc/controller/admin/index.lua index 736d0cdccf..8f9b481cce 100644 --- a/modules/luci-base/luasrc/controller/admin/index.lua +++ b/modules/luci-base/luasrc/controller/admin/index.lua @@ -11,9 +11,13 @@ function action_logout() if sid then utl.ubus("session", "destroy", { ubus_rpc_session = sid }) - luci.http.header("Set-Cookie", "sysauth=%s; expires=%s; path=%s" %{ - '', 'Thu, 01 Jan 1970 01:00:00 GMT', dsp.build_url() - }) + local url = dsp.build_url() + + if luci.http.getenv('HTTPS') == 'on' then + luci.http.header("Set-Cookie", "sysauth_https=; expires=Thu, 01 Jan 1970 01:00:00 GMT; path=%s" % url) + end + + luci.http.header("Set-Cookie", "sysauth_http=; expires=Thu, 01 Jan 1970 01:00:00 GMT; path=%s" % url) end luci.http.redirect(dsp.build_url()) @@ -185,10 +189,9 @@ end function action_menu() local dsp = require "luci.dispatcher" - local utl = require "luci.util" local http = require "luci.http" - local acls = utl.ubus("session", "access", { ubus_rpc_session = http.getcookie("sysauth") }) + local _, _, acls = dsp.is_authenticated({ methods = { "cookie:sysauth_https", "cookie:sysauth_http" } }) local menu = dsp.menu_json(acls or {}) or {} http.prepare_content("application/json") |