Secure cookie handling upon https to http downgrade
Peter Naulls
peter at chocky.org
Thu Dec 22 12:56:46 PST 2022
On 12/22/22 13:50, Oscar Hjelm wrote:
>
> I’m not familiar with the luci interface, but to help you get started:
> - One workaround would be to use a different cookie name on the new secure
> cookies (or a new name on the older cookies, if that is preferred). The two
> cookies could co-exist.
Yes, thank you. I was able to rename the cookie to "sysauth-http" in the old
code. This requires fixups in in 8 or so places to work properly, but seems to
do the right thing.
>
> Setting the Secure flag is considered best-practice. However, if the end user
> deployment relies on self-signed certificates, then the security offered is low.
> A user is unfortunately likely to approve a certificate error and proceed
> anyway, leaking the session token to a potential attacker.
There's no question that a lot of the security measures I'm taking are theater
(see my previous posts), but the hoops have to be jumped through. And I think
they'll help out others in the future.
More information about the openwrt-devel
mailing list