Secure cookie handling upon https to http downgrade
peter at chocky.org
Mon Jan 2 07:33:42 PST 2023
On 12/30/22 15:42, Jo-Philipp Wich wrote:
>> I renamed the new cookies to "http-sysauth" and "https-sysauth", to work
>> around this and it seems to do the right thing. But there is still a fault here.
> Already fixed with
Right, thanks Jow, and everyone involved in OpenWrt. For some reason this was an
update that I had missed in my setup.
More generally, and regard to the earlier suggestion, I would still suggest
splitting the http vs https cookie names in any ongoing luci rework in order to
avoid this situation.
I know that HTTPS on a local system is security theater, but it's where we find
More information about the openwrt-devel