Secure cookie handling upon https to http downgrade

Peter Naulls peter at chocky.org
Mon Jan 2 07:33:42 PST 2023


On 12/30/22 15:42, Jo-Philipp Wich wrote:
> 
> Hi,
> 
>> [...]
>> I renamed the new cookies to "http-sysauth" and "https-sysauth", to work
>> around this and it seems to do the right thing.  But there is still a fault here.
> 
> Already fixed with
> https://github.com/jow-/lucihttp/commit/6e68a1065f3ed1889e5fa053b206bd3aa108bd5f

Right, thanks Jow, and everyone involved in OpenWrt. For some reason this was an 
update that I had missed in my setup.

More generally, and regard to the earlier suggestion, I would still suggest 
splitting the http vs https cookie names in any ongoing luci rework in order to 
avoid this situation.

I know that HTTPS on a local system is security theater, but it's where we find
ourselves.








More information about the openwrt-devel mailing list