Secure cookie handling upon https to http downgrade
Peter Naulls
peter at chocky.org
Mon Jan 2 07:33:42 PST 2023
On 12/30/22 15:42, Jo-Philipp Wich wrote:
>
> Hi,
>
>> [...]
>> I renamed the new cookies to "http-sysauth" and "https-sysauth", to work
>> around this and it seems to do the right thing. But there is still a fault here.
>
> Already fixed with
> https://github.com/jow-/lucihttp/commit/6e68a1065f3ed1889e5fa053b206bd3aa108bd5f
Right, thanks Jow, and everyone involved in OpenWrt. For some reason this was an
update that I had missed in my setup.
More generally, and regard to the earlier suggestion, I would still suggest
splitting the http vs https cookie names in any ongoing luci rework in order to
avoid this situation.
I know that HTTPS on a local system is security theater, but it's where we find
ourselves.
More information about the openwrt-devel
mailing list