add and use cgiurl_abs_samescheme
* emailauth: Fix cookie problem when user is on https and the cgiurl uses http, by making the emailed login link use https. * passwordauth: Use https for emailed password reset link when user is on https. Not entirely happy with this approach, but I don't currently see a better one. I have not verified that the passwordauth change fixes any problem, other than the user getting a http link when they were using https. The emailauth problem is verified fixed by this commit. This commit was sponsored by Michael Magin.master
parent
71064e3af6
commit
a79ab9ed18
13
IkiWiki.pm
13
IkiWiki.pm
|
@ -1232,6 +1232,19 @@ sub cgiurl_abs (@) {
|
||||||
URI->new_abs(cgiurl(@_), $config{cgiurl});
|
URI->new_abs(cgiurl(@_), $config{cgiurl});
|
||||||
}
|
}
|
||||||
|
|
||||||
|
# Same as cgiurl_abs, but when the user connected using https,
|
||||||
|
# will be a https url even if the cgiurl is normally a http url.
|
||||||
|
#
|
||||||
|
# This should be used for anything involving emailing a login link,
|
||||||
|
# because a https session cookie will not be sent over http.
|
||||||
|
sub cgiurl_abs_samescheme (@) {
|
||||||
|
my $u=cgiurl_abs(@_);
|
||||||
|
if (($ENV{HTTPS} && lc $ENV{HTTPS} ne "off")) {
|
||||||
|
$u=~s/^http:/https:/i;
|
||||||
|
}
|
||||||
|
return $u
|
||||||
|
}
|
||||||
|
|
||||||
sub baseurl (;$) {
|
sub baseurl (;$) {
|
||||||
my $page=shift;
|
my $page=shift;
|
||||||
|
|
||||||
|
|
|
@ -76,7 +76,7 @@ sub email_auth ($$$$) {
|
||||||
$template->param(
|
$template->param(
|
||||||
wikiname => $config{wikiname},
|
wikiname => $config{wikiname},
|
||||||
# Intentionally using short field names to keep link short.
|
# Intentionally using short field names to keep link short.
|
||||||
authurl => IkiWiki::cgiurl_abs(
|
authurl => IkiWiki::cgiurl_abs_samescheme(
|
||||||
'e' => $email,
|
'e' => $email,
|
||||||
'v' => $token,
|
'v' => $token,
|
||||||
),
|
),
|
||||||
|
|
|
@ -358,7 +358,7 @@ sub formbuilder (@) {
|
||||||
my $template=template("passwordmail.tmpl");
|
my $template=template("passwordmail.tmpl");
|
||||||
$template->param(
|
$template->param(
|
||||||
user_name => $user_name,
|
user_name => $user_name,
|
||||||
passwordurl => IkiWiki::cgiurl_abs(
|
passwordurl => IkiWiki::cgiurl_abs_samescheme(
|
||||||
'do' => "reset",
|
'do' => "reset",
|
||||||
'name' => $user_name,
|
'name' => $user_name,
|
||||||
'token' => $token,
|
'token' => $token,
|
||||||
|
|
|
@ -1,5 +1,9 @@
|
||||||
ikiwiki (3.20171002) UNRELEASED; urgency=medium
|
ikiwiki (3.20171002) UNRELEASED; urgency=medium
|
||||||
|
|
||||||
|
* emailauth: Fix cookie problem when user is on https and the cgiurl
|
||||||
|
uses http, by making the emailed login link use https.
|
||||||
|
* passwordauth: Use https for emailed password reset link when user
|
||||||
|
is on https.
|
||||||
* Updated German basewiki and directives translation from
|
* Updated German basewiki and directives translation from
|
||||||
Sebastian Kuhnert.
|
Sebastian Kuhnert.
|
||||||
|
|
||||||
|
|
|
@ -18,10 +18,21 @@ firefox-esr, or chromium. --[[Joey]]
|
||||||
> Ok, to reproduce the problem: Log into joeyh.name using https. The email
|
> Ok, to reproduce the problem: Log into joeyh.name using https. The email
|
||||||
> login link is a http link. The session cookie was set https-only.
|
> login link is a http link. The session cookie was set https-only.
|
||||||
> --[[Joey]]
|
> --[[Joey]]
|
||||||
|
>
|
||||||
|
> The reason the edit form is able to be displayed is that emailauth
|
||||||
|
> sets up a session, in getsession(), and that $session is used for the
|
||||||
|
> remainder of that cgi call. But, a cookie for that session is not stored
|
||||||
|
> in the browser in this case. Ikiwiki *does* send a session cookie, but
|
||||||
|
> the browser seems to not let an existing https-only session cookie be
|
||||||
|
> replaced by a new session cookie that can be used with http. (If the
|
||||||
|
> emailed link, generated on https is opened in a different browser, this
|
||||||
|
> problem doesn't happen.) There may have been a browser behavior change
|
||||||
|
> here?
|
||||||
|
>
|
||||||
> So what to do about this? Sites with the problem have `redirect_to_https: 0`
|
> So what to do about this? Sites with the problem have `redirect_to_https: 0`
|
||||||
> and the cgiurl is http not https. So when emailauth generates the url,
|
> and the cgiurl is http not https. So when emailauth generates the url
|
||||||
> it's a http url, even if the user got to that point using https.
|
> with `cgiurl_abs`, it's a http url, even if the user got to that point
|
||||||
|
> using https.
|
||||||
>
|
>
|
||||||
> I suppose that emailauth could look at `$ENV{HTTPS}` same as
|
> I suppose that emailauth could look at `$ENV{HTTPS}` same as
|
||||||
> printheader() does, to detect this case, and rewrite the cgiurl as a
|
> printheader() does, to detect this case, and rewrite the cgiurl as a
|
||||||
|
@ -31,3 +42,12 @@ firefox-esr, or chromium. --[[Joey]]
|
||||||
>
|
>
|
||||||
> Of course, the easy workaround, increasingly a good idea anyway, is to
|
> Of course, the easy workaround, increasingly a good idea anyway, is to
|
||||||
> enable `redirect_to_https`.. --[[Joey]]
|
> enable `redirect_to_https`.. --[[Joey]]
|
||||||
|
|
||||||
|
> One of the users also reported a problem with password reset, and
|
||||||
|
> indeed, passwordauth is another caller of `cgiurl_abs`. (The only other
|
||||||
|
> caller, notifyemail, is probably fine.) The emailed password reset link
|
||||||
|
> also should be https if the user was using https. So, let's add a
|
||||||
|
> `cgiurl_abs_samescheme` that both can use. --[[Joey]]
|
||||||
|
|
||||||
|
[[fixed|done]].. At least I hope that was the thing actually preventing most
|
||||||
|
of the people from logging in. --[[Joey]]
|
||||||
|
|
Loading…
Reference in New Issue