Secure cookie handling upon https to http downgrade

Peter Naulls peter at chocky.org
Fri Dec 30 08:12:56 PST 2022


On 12/22/22 15:56, Peter Naulls wrote:
> On 12/22/22 13:50, Oscar Hjelm wrote:
> 
>>
>> I’m not familiar with the luci interface, but to help you get started:
>> - One workaround would be to use a different cookie name on the new secure 
>> cookies (or a new name on the older cookies, if that is preferred). The two 
>> cookies could co-exist.
> 
> Yes, thank you. I was able to rename the cookie to "sysauth-http" in the old 
> code.  This requires fixups in in 8 or so places to work properly, but seems to
> do the right thing.

To follow up on this, it didn't work properly. It looks to me that when there's
multiple cookies set for a site, the http.getcookie, which uses:

  return lhttp.header_attribute("cookie; " .. (self:getenv("HTTP_COOKIE") or 
""), name)

Will sometimes return the wrong cookie. I didn't dig into the exact problem 
further, but it would return the original "sysauth" cookie not the new "sysauth-
https".  Perhaps due to alphabetical sorting, or a prefix match or something.

I renamed the new cookies to "http-sysauth" and "https-sysauth", to work around 
this and it seems to do the right thing.  But there is still a fault here.







More information about the openwrt-devel mailing list