[Commotion-admin] [luci-commotion-linux] Added secure and httponly flags to sysauth cookie in apps_controller.lua (#1)
areynold
notifications at github.com
Fri Sep 27 17:32:56 UTC 2013
The httponly flag forces the cookie to be read via web requests only. The secure flag forces ssl for cookie requests. See https://github.com/opentechinstitute/commotion-openwrt/issues/32 and https://github.com/opentechinstitute/commotion-openwrt/issues/33 for the full issue writeups and pointers to resources.
In this case I'm not sure exactly what apps_controller is doing or how the cookie is being used, but the cookie construct is identical to luci's dispatcher.lua, which builds the sysauth cookie in commotion-openwrt (which triggered issues 32 and 33, above).
For a quick and dirty test, visit a page that uses the sysauth cookie (which would be any /admin page in commotion-openwrt) and use firebug or equivalent to view cookies. Both httponly and secure should be On or True.
---
Reply to this email directly or view it on GitHub:
https://github.com/opentechinstitute/luci-commotion-linux/pull/1#issuecomment-25262579
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.chambana.net/pipermail/commotion-admin/attachments/20130927/286f15af/attachment.html>
More information about the Commotion-admin
mailing list