Since HTTP cookies may not overwrite HTTPS ("secure") ones, users are
frequently unable to log into LuCI when a stale, "secure" `sysauth` cookie
is still present in the browser as it commonly happens after e.g. a
sysupgrade operation or when frequently jumping between HTTP and HTTPS
access.
Rework the dispatcher to set either a `sysauth_http` or `sysauth_https`
cookie, depending on the HTTPS state of the server connection and accept
both cookie names when verifying the session ID.
This allows users to log into a HTTP-only LuCI instance while a stale,
"secure" HTTPS cookie is still present.
Requires commit
2b0539ef9d ("lucihttp: update to latest Git HEAD") to
function properly.
Fixes: #5843
Signed-off-by: Jo-Philipp Wich <jo@mein.io>
if sid then
utl.ubus("session", "destroy", { ubus_rpc_session = sid })
- luci.http.header("Set-Cookie", "sysauth=%s; expires=%s; path=%s" %{
- '', 'Thu, 01 Jan 1970 01:00:00 GMT', dsp.build_url()
- })
+ local url = dsp.build_url()
+
+ if luci.http.getenv('HTTPS') == 'on' then
+ luci.http.header("Set-Cookie", "sysauth_https=; expires=Thu, 01 Jan 1970 01:00:00 GMT; path=%s" % url)
+ end
+
+ luci.http.header("Set-Cookie", "sysauth_http=; expires=Thu, 01 Jan 1970 01:00:00 GMT; path=%s" % url)
end
luci.http.redirect(dsp.build_url())
function action_menu()
local dsp = require "luci.dispatcher"
- local utl = require "luci.util"
local http = require "luci.http"
- local acls = utl.ubus("session", "access", { ubus_rpc_session = http.getcookie("sysauth") })
+ local _, _, acls = dsp.is_authenticated({ methods = { "cookie:sysauth_https", "cookie:sysauth_http" } })
local menu = dsp.menu_json(acls or {}) or {}
http.prepare_content("application/json")
if subnode.sysauth_authenticator == "htmlauth" then
spec.auth = {
login = true,
- methods = { "cookie:sysauth" }
+ methods = { "cookie:sysauth_https", "cookie:sysauth_http" }
}
elseif subname == "rpc" and subnode.module == "luci.controller.rpc" then
spec.auth = {
login = false,
- methods = { "query:auth", "cookie:sysauth" }
+ methods = { "query:auth", "cookie:sysauth_https", "cookie:sysauth_http" }
}
elseif subnode.module == "luci.controller.admin.uci" then
spec.auth = {
return tpl
end
-local function is_authenticated(auth)
+function is_authenticated(auth)
if type(auth) == "table" and type(auth.methods) == "table" and #auth.methods > 0 then
local sid, sdat, sacl
for _, method in ipairs(auth.methods) do
return tpl.render("sysauth", scope)
end
- http.header("Set-Cookie", 'sysauth=%s; path=%s; SameSite=Strict; HttpOnly%s' %{
+ http.header("Set-Cookie", 'sysauth_%s=%s; path=%s; SameSite=Strict; HttpOnly%s' %{
+ http.getenv("HTTPS") == "on" and "https" or "http",
sid, build_url(), http.getenv("HTTPS") == "on" and "; secure" or ""
})
"recurse": true
},
"auth": {
- "methods": [ "cookie:sysauth" ],
+ "methods": [ "cookie:sysauth_https", "cookie:sysauth_http" ],
"login": true
}
},
"post": true
},
"auth": {
- "methods": [ "cookie:sysauth" ]
+ "methods": [ "cookie:sysauth_https", "cookie:sysauth_http" ]
}
},
"post": true
},
"auth": {
- "methods": [ "cookie:sysauth" ]
+ "methods": [ "cookie:sysauth_https", "cookie:sysauth_http" ]
}
},
projects / project / luci.git / commitdiff