Secure cookie handling upon https to http downgrade

Peter Naulls peter at
Mon Jan 2 07:33:42 PST 2023

On 12/30/22 15:42, Jo-Philipp Wich wrote:
> Hi,
>> [...]
>> I renamed the new cookies to "http-sysauth" and "https-sysauth", to work
>> around this and it seems to do the right thing.  But there is still a fault here.
> Already fixed with

Right, thanks Jow, and everyone involved in OpenWrt. For some reason this was an 
update that I had missed in my setup.

More generally, and regard to the earlier suggestion, I would still suggest 
splitting the http vs https cookie names in any ongoing luci rework in order to 
avoid this situation.

I know that HTTPS on a local system is security theater, but it's where we find

More information about the openwrt-devel mailing list