urosm
/
ikiwiki
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

how to fix?

master
Joey Hess 2018-01-05 11:17:11 -04:00
parent 76ff547344
commit 71064e3af6
No known key found for this signature in database
GPG Key ID: DB12DB0FF05F8F38
1 changed files with 13 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
doc/bugs/login_problem.mdwn
View File

@ -18,3 +18,16 @@ firefox-esr, or chromium. --[[Joey]]
> Ok, to reproduce the problem: Log into joeyh.name using https. The email > Ok, to reproduce the problem: Log into joeyh.name using https. The email
> login link is a http link. The session cookie was set https-only. > login link is a http link. The session cookie was set https-only.
> --[[Joey]] > --[[Joey]]
> So what to do about this? Sites with the problem have `redirect_to_https: 0`
> and the cgiurl is http not https. So when emailauth generates the url,
> it's a http url, even if the user got to that point using https.
>
> I suppose that emailauth could look at `$ENV{HTTPS}` same as
> printheader() does, to detect this case, and rewrite the cgiurl as a
> https url. Or, printheader() could just not set "-secure" on the cookie,
> but that does degrade security as MITM can then steal the cookie you're
> using on a https site.
>
> Of course, the easy workaround, increasingly a good idea anyway, is to
> enable `redirect_to_https`.. --[[Joey]]