luci-base: use different cookie names for HTTP and HTTPS

Since HTTP cookies may not overwrite HTTPS ("secure") ones, users are
frequently unable to log into LuCI when a stale, "secure" `sysauth` cookie
is still present in the browser as it commonly happens after e.g. a
sysupgrade operation or when frequently jumping between HTTP and HTTPS
access.

Rework the dispatcher to set either a `sysauth_http` or `sysauth_https`
cookie, depending on the HTTPS state of the server connection and accept
both cookie names when verifying the session ID.

This allows users to log into a HTTP-only LuCI instance while a stale,
"secure" HTTPS cookie is still present.

Requires commit 2b0539ef9d ("lucihttp: update to latest Git HEAD") to
function properly.

Fixes: #5843
Signed-off-by: Jo-Philipp Wich <jo@mein.io>

1 files changed, 3 insertions, 3 deletions

diff --git a/modules/luci-base/root/usr/share/luci/menu.d/luci-base.json b/modules/luci-base/root/usr/share/luci/menu.d/luci-base.json
index 2a99684c2c..605c7ab777 100644
--- a/modules/luci-base/root/usr/share/luci/menu.d/luci-base.json
+++ b/modules/luci-base/root/usr/share/luci/menu.d/luci-base.json
@@ -7,7 +7,7 @@
 			"recurse": true
 		},
 		"auth": {
-			"methods": [ "cookie:sysauth" ],
+			"methods": [ "cookie:sysauth_https", "cookie:sysauth_http" ],
 			"login": true
 		}
 	},
@@ -115,7 +115,7 @@
 			"post": true
 		},
 		"auth": {
-			"methods": [ "cookie:sysauth" ]
+			"methods": [ "cookie:sysauth_https", "cookie:sysauth_http" ]
 		}
 	},
 
@@ -128,7 +128,7 @@
 			"post": true
 		},
 		"auth": {
-			"methods": [ "cookie:sysauth" ]
+			"methods": [ "cookie:sysauth_https", "cookie:sysauth_http" ]
 		}
 	},