Secure cookie handling upon https to http downgrade
Peter Naulls
peter at chocky.org
Fri Dec 30 08:12:56 PST 2022
On 12/22/22 15:56, Peter Naulls wrote:
> On 12/22/22 13:50, Oscar Hjelm wrote:
>
>>
>> I’m not familiar with the luci interface, but to help you get started:
>> - One workaround would be to use a different cookie name on the new secure
>> cookies (or a new name on the older cookies, if that is preferred). The two
>> cookies could co-exist.
>
> Yes, thank you. I was able to rename the cookie to "sysauth-http" in the old
> code. This requires fixups in in 8 or so places to work properly, but seems to
> do the right thing.
To follow up on this, it didn't work properly. It looks to me that when there's
multiple cookies set for a site, the http.getcookie, which uses:
return lhttp.header_attribute("cookie; " .. (self:getenv("HTTP_COOKIE") or
""), name)
Will sometimes return the wrong cookie. I didn't dig into the exact problem
further, but it would return the original "sysauth" cookie not the new "sysauth-
https". Perhaps due to alphabetical sorting, or a prefix match or something.
I renamed the new cookies to "http-sysauth" and "https-sysauth", to work around
this and it seems to do the right thing. But there is still a fault here.
More information about the openwrt-devel
mailing list