From e1932592c3e0804eec5d85fee989ceeed1e1050a Mon Sep 17 00:00:00 2001 From: Jo-Philipp Wich Date: Fri, 8 Jul 2022 15:38:53 +0200 Subject: luci-base: use different cookie names for HTTP and HTTPS Since HTTP cookies may not overwrite HTTPS ("secure") ones, users are frequently unable to log into LuCI when a stale, "secure" `sysauth` cookie is still present in the browser as it commonly happens after e.g. a sysupgrade operation or when frequently jumping between HTTP and HTTPS access. Rework the dispatcher to set either a `sysauth_http` or `sysauth_https` cookie, depending on the HTTPS state of the server connection and accept both cookie names when verifying the session ID. This allows users to log into a HTTP-only LuCI instance while a stale, "secure" HTTPS cookie is still present. Requires commit 2b0539ef9d ("lucihttp: update to latest Git HEAD") to function properly. Fixes: #5843 Signed-off-by: Jo-Philipp Wich --- modules/luci-base/root/usr/share/luci/menu.d/luci-base.json | 6 +++--- 1 file changed, 3 insertions(+), 3 deletions(-) (limited to 'modules/luci-base/root') diff --git a/modules/luci-base/root/usr/share/luci/menu.d/luci-base.json b/modules/luci-base/root/usr/share/luci/menu.d/luci-base.json index 2a99684c2c..605c7ab777 100644 --- a/modules/luci-base/root/usr/share/luci/menu.d/luci-base.json +++ b/modules/luci-base/root/usr/share/luci/menu.d/luci-base.json @@ -7,7 +7,7 @@ "recurse": true }, "auth": { - "methods": [ "cookie:sysauth" ], + "methods": [ "cookie:sysauth_https", "cookie:sysauth_http" ], "login": true } }, @@ -115,7 +115,7 @@ "post": true }, "auth": { - "methods": [ "cookie:sysauth" ] + "methods": [ "cookie:sysauth_https", "cookie:sysauth_http" ] } }, @@ -128,7 +128,7 @@ "post": true }, "auth": { - "methods": [ "cookie:sysauth" ] + "methods": [ "cookie:sysauth_https", "cookie:sysauth_http" ] } }, -- cgit v1.2.3