luci-base: use different cookie names for HTTP and HTTPS

Since HTTP cookies may not overwrite HTTPS ("secure") ones, users are frequently unable to log into LuCI when a stale, "secure" `sysauth` cookie is still present in the browser as it commonly happens after e.g. a sysupgrade operation or when frequently jumping between HTTP and HTTPS access. Rework the dispatcher to set either a `sysauth_http` or `sysauth_https` cookie, depending on the HTTPS state of the server connection and accept both cookie names when verifying the session ID. This allows users to log into a HTTP-only LuCI instance while a stale, "secure" HTTPS cookie is still present. Requires commit 2b0539ef9d ("lucihttp: update to latest Git HEAD") to function properly. Fixes: #5843 Signed-off-by: Jo-Philipp Wich <jo@mein.io>
author: Jo-Philipp Wich <jo@mein.io> 2022-07-08 15:38:53 +0200
committer: Jo-Philipp Wich <jo@mein.io> 2022-07-08 15:38:53 +0200
commit: e1932592c3e0804eec5d85fee989ceeed1e1050a (patch)
tree: 469f729bd9b797a9b5306d2f591ee4e5e71254fb /modules/luci-base
parent: 2b0539ef9d1849b42fae206f0647bc647323c75d (diff)
3 files changed, 16 insertions, 12 deletions
diff --git a/modules/luci-base/luasrc/controller/admin/index.lua b/modules/luci-base/luasrc/controller/admin/index.lua
index 736d0cdccf..8f9b481cce 100644
--- a/modules/luci-base/luasrc/controller/admin/index.lua
+++ b/modules/luci-base/luasrc/controller/admin/index.lua
@@ -11,9 +11,13 @@ function action_logout()
 	if sid then
 		utl.ubus("session", "destroy", { ubus_rpc_session = sid })
 
-		luci.http.header("Set-Cookie", "sysauth=%s; expires=%s; path=%s" %{
-			'', 'Thu, 01 Jan 1970 01:00:00 GMT', dsp.build_url()
-		})
+		local url = dsp.build_url()
+
+		if luci.http.getenv('HTTPS') == 'on' then
+			luci.http.header("Set-Cookie", "sysauth_https=; expires=Thu, 01 Jan 1970 01:00:00 GMT; path=%s" % url)
+		end
+
+		luci.http.header("Set-Cookie", "sysauth_http=; expires=Thu, 01 Jan 1970 01:00:00 GMT; path=%s" % url)
 	end
 
 	luci.http.redirect(dsp.build_url())
@@ -185,10 +189,9 @@ end
 
 function action_menu()
 	local dsp = require "luci.dispatcher"
-	local utl = require "luci.util"
 	local http = require "luci.http"
 
-	local acls = utl.ubus("session", "access", { ubus_rpc_session = http.getcookie("sysauth") })
+	local _, _, acls = dsp.is_authenticated({ methods = { "cookie:sysauth_https", "cookie:sysauth_http" } })
 	local menu = dsp.menu_json(acls or {}) or {}
 
 	http.prepare_content("application/json")
diff --git a/modules/luci-base/luasrc/dispatcher.lua b/modules/luci-base/luasrc/dispatcher.lua
index d27af0755a..a3726fb1c1 100644
--- a/modules/luci-base/luasrc/dispatcher.lua
+++ b/modules/luci-base/luasrc/dispatcher.lua
@@ -343,12 +343,12 @@ local function tree_to_json(node, json)
 				if subnode.sysauth_authenticator == "htmlauth" then
 					spec.auth = {
 						login = true,
-						methods = { "cookie:sysauth" }
+						methods = { "cookie:sysauth_https", "cookie:sysauth_http" }
 					}
 				elseif subname == "rpc" and subnode.module == "luci.controller.rpc" then
 					spec.auth = {
 						login = false,
-						methods = { "query:auth", "cookie:sysauth" }
+						methods = { "query:auth", "cookie:sysauth_https", "cookie:sysauth_http" }
 					}
 				elseif subnode.module == "luci.controller.admin.uci" then
 					spec.auth = {
@@ -732,7 +732,7 @@ local function init_template_engine(ctx)
 	return tpl
 end
 
-local function is_authenticated(auth)
+function is_authenticated(auth)
 	if type(auth) == "table" and type(auth.methods) == "table" and #auth.methods > 0 then
 		local sid, sdat, sacl
 		for _, method in ipairs(auth.methods) do
@@ -929,7 +929,8 @@ function dispatch(request)
 				return tpl.render("sysauth", scope)
 			end
 
-			http.header("Set-Cookie", 'sysauth=%s; path=%s; SameSite=Strict; HttpOnly%s' %{
+			http.header("Set-Cookie", 'sysauth_%s=%s; path=%s; SameSite=Strict; HttpOnly%s' %{
+				http.getenv("HTTPS") == "on" and "https" or "http",
 				sid, build_url(), http.getenv("HTTPS") == "on" and "; secure" or ""
 			})
 
diff --git a/modules/luci-base/root/usr/share/luci/menu.d/luci-base.json b/modules/luci-base/root/usr/share/luci/menu.d/luci-base.json
index 2a99684c2c..605c7ab777 100644
--- a/modules/luci-base/root/usr/share/luci/menu.d/luci-base.json
+++ b/modules/luci-base/root/usr/share/luci/menu.d/luci-base.json
@@ -7,7 +7,7 @@
 			"recurse": true
 		},
 		"auth": {
-			"methods": [ "cookie:sysauth" ],
+			"methods": [ "cookie:sysauth_https", "cookie:sysauth_http" ],
 			"login": true
 		}
 	},
@@ -115,7 +115,7 @@
 			"post": true
 		},
 		"auth": {
-			"methods": [ "cookie:sysauth" ]
+			"methods": [ "cookie:sysauth_https", "cookie:sysauth_http" ]
 		}
 	},
 
@@ -128,7 +128,7 @@
 			"post": true
 		},
 		"auth": {
-			"methods": [ "cookie:sysauth" ]
+			"methods": [ "cookie:sysauth_https", "cookie:sysauth_http" ]
 		}
 	},
author	Jo-Philipp Wich <jo@mein.io>	2022-07-08 15:38:53 +0200
committer	Jo-Philipp Wich <jo@mein.io>	2022-07-08 15:38:53 +0200
commit	e1932592c3e0804eec5d85fee989ceeed1e1050a (patch)
tree	469f729bd9b797a9b5306d2f591ee4e5e71254fb /modules/luci-base
parent	2b0539ef9d1849b42fae206f0647bc647323c75d (diff)