On 12/22/22 13:50, Oscar Hjelm wrote:
I’m not familiar with the luci interface, but to help you get started:
- One workaround would be to use a different cookie name on the new secure
cookies (or a new name on the older cookies, if that is preferred). The two
cookies could co-exist.
Yes, thank you. I was able to rename the cookie to "sysauth-http" in the old
code. This requires fixups in in 8 or so places to work properly, but seems to
do the right thing.
Setting the Secure flag is considered best-practice. However, if the end user
deployment relies on self-signed certificates, then the security offered is low.
A user is unfortunately likely to approve a certificate error and proceed
anyway, leaking the session token to a potential attacker.
There's no question that a lot of the security measures I'm taking are theater
(see my previous posts), but the hoops have to be jumped through. And I think
they'll help out others in the future.
_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel
