Secure cookie handling upon https to http downgrade

Peter Naulls peter at chocky.org
Thu Dec 22 12:56:46 PST 2022


On 12/22/22 13:50, Oscar Hjelm wrote:

> 
> I’m not familiar with the luci interface, but to help you get started:
> - One workaround would be to use a different cookie name on the new secure 
> cookies (or a new name on the older cookies, if that is preferred). The two 
> cookies could co-exist.

Yes, thank you. I was able to rename the cookie to "sysauth-http" in the old 
code.  This requires fixups in in 8 or so places to work properly, but seems to
do the right thing.

> 
> Setting the Secure flag is considered best-practice. However, if the end user 
> deployment relies on self-signed certificates, then the security offered is low. 
> A user is unfortunately likely to approve a certificate error and proceed 
> anyway, leaking the session token to a potential attacker.

There's no question that a lot of the security measures I'm taking are theater
(see my previous posts), but the hoops have to be jumped through. And I think
they'll help out others in the future.







More information about the openwrt-devel mailing list