You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
The /cgi-bin/luci/admin/logout response headers contains one set-cookie line which expires the sysauth_http cookie but not the sysauth_https cookie: set-cookie: sysauth_http=; expires=Thu, 01 Jan 1970 01:00:00 GMT; path=/cgi-bin/luci/
Expected behavior:
The /cgi-bin/luci/admin/logout response headers should contain two set-cookie lines which expire both cookies, sysauth_http and sysauth_https (or maybe it's enough to expire the sysauth_https cookie when you use https.)
Additional Information:
OpenWrt version information from system /etc/openwrt_release
I have debugged the issue and apparently action_logout in modules/luci-base/ucode/controller/admin/index.uc first sets the set-cookie header to sysauth_https=... if https is enabled, and after that it always sets the set-cookie header to sysauth_http=... which overwrites the first set-cookie header.
The text was updated successfully, but these errors were encountered:
Steps to reproduce:
log in via https
log out
inspect page in browser
Actual behavior:
The /cgi-bin/luci/admin/logout response headers contains one set-cookie line which expires the
sysauth_http
cookie but not thesysauth_https
cookie:set-cookie: sysauth_http=; expires=Thu, 01 Jan 1970 01:00:00 GMT; path=/cgi-bin/luci/
Expected behavior:
The /cgi-bin/luci/admin/logout response headers should contain two set-cookie lines which expire both cookies,
sysauth_http
andsysauth_https
(or maybe it's enough to expire thesysauth_https
cookie when you use https.)Additional Information:
OpenWrt version information from system
/etc/openwrt_release
I have debugged the issue and apparently action_logout in modules/luci-base/ucode/controller/admin/index.uc first sets the set-cookie header to
sysauth_https=...
if https is enabled, and after that it always sets the set-cookie header tosysauth_http=...
which overwrites the first set-cookie header.The text was updated successfully, but these errors were encountered: