git.openwrt.org Git - project/luci.git/commit

author	Jo-Philipp Wich <jo@mein.io>
	Fri, 8 Jul 2022 13:38:53 +0000 (15:38 +0200)
committer	Jo-Philipp Wich <jo@mein.io>
	Thu, 25 Aug 2022 08:56:38 +0000 (10:56 +0200)
commit	08fb38399f5b297be7d460703b70d3b893139f9f
tree	3a2665dbde0a8e75342d2ab4dd3de06ec6245cfa	tree \| snapshot
parent	6fceae5150cf97e6583ba93aba4f2c2a9d777757	commit \| diff

luci-base: use different cookie names for HTTP and HTTPS

Since HTTP cookies may not overwrite HTTPS ("secure") ones, users are
frequently unable to log into LuCI when a stale, "secure" `sysauth` cookie
is still present in the browser as it commonly happens after e.g. a
sysupgrade operation or when frequently jumping between HTTP and HTTPS
access.

Rework the dispatcher to set either a `sysauth_http` or `sysauth_https`
cookie, depending on the HTTPS state of the server connection and accept
both cookie names when verifying the session ID.

This allows users to log into a HTTP-only LuCI instance while a stale,
"secure" HTTPS cookie is still present.

Requires commit 2b0539ef9d ("lucihttp: update to latest Git HEAD") to
function properly.

Fixes: #5843
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
(cherry picked from commit e1932592c3e0804eec5d85fee989ceeed1e1050a)

modules/luci-base/luasrc/controller/admin/index.lua		diff \| blob \| history
modules/luci-base/luasrc/dispatcher.lua		diff \| blob \| history
modules/luci-base/root/usr/share/luci/menu.d/luci-base.json		diff \| blob \| history