On 12/22/22 15:56, Peter Naulls wrote:
On 12/22/22 13:50, Oscar Hjelm wrote:
I’m not familiar with the luci interface, but to help you get started:
- One workaround would be to use a different cookie name on the new secure
cookies (or a new name on the older cookies, if that is preferred). The two
cookies could co-exist.
Yes, thank you. I was able to rename the cookie to "sysauth-http" in the old
code. This requires fixups in in 8 or so places to work properly, but seems to
do the right thing.
To follow up on this, it didn't work properly. It looks to me that when there's
multiple cookies set for a site, the http.getcookie, which uses:
return lhttp.header_attribute("cookie; " .. (self:getenv("HTTP_COOKIE") or
""), name)
Will sometimes return the wrong cookie. I didn't dig into the exact problem
further, but it would return the original "sysauth" cookie not the new "sysauth-
https". Perhaps due to alphabetical sorting, or a prefix match or something.
I renamed the new cookies to "http-sysauth" and "https-sysauth", to work around
this and it seems to do the right thing. But there is still a fault here.
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
