From 82fe7449eefec55949d3d736b78cc7ce52cafcae Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Mon, 22 Sep 2014 14:37:13 +0200 Subject: [PATCH 1/2] ws: Make cookie be a session cookie Although it really doesn't matter that much since we clear cookie's on the server side anyway, make our cookie a session cookie, so that it never gets stored in the browser. --- src/ws/cockpitauth.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c index cdc7a8adbec..cf4c5a6fdd4 100644 --- a/src/ws/cockpitauth.c +++ b/src/ws/cockpitauth.c @@ -706,7 +706,7 @@ cockpit_auth_login_finish (CockpitAuth *self, if (out_headers) { cookie_b64 = g_base64_encode ((guint8 *)authenticated->cookie, strlen (authenticated->cookie)); - header = g_strdup_printf ("CockpitAuth=%s; Path=/; Expires=Wed, 13-Jan-2021 22:23:01 GMT;%s HttpOnly", + header = g_strdup_printf ("CockpitAuth=%s; Path=/; %s HttpOnly", cookie_b64, force_secure ? " Secure;" : ""); g_free (cookie_b64); g_hash_table_insert (out_headers, g_strdup ("Set-Cookie"), header); From 9fd4efd778434bd9038de0268a22b5a8672bc3f9 Mon Sep 17 00:00:00 2001 From: Stef Walter Date: Mon, 22 Sep 2014 14:38:40 +0200 Subject: [PATCH 2/2] ws: Give our cookie a simpler name: cockpit When embedding, people will probably start using this cookie's name explicitly, so keep it simple and straightforward. --- src/ws/cockpitauth.c | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/src/ws/cockpitauth.c b/src/ws/cockpitauth.c index cf4c5a6fdd4..ac46847bf91 100644 --- a/src/ws/cockpitauth.c +++ b/src/ws/cockpitauth.c @@ -559,7 +559,7 @@ authenticated_for_headers (CockpitAuth *self, if (!cockpit_web_server_parse_cookies (in_headers, &cookies, NULL)) return NULL; - cookie = base64_decode_string (g_hash_table_lookup (cookies, "CockpitAuth")); + cookie = base64_decode_string (g_hash_table_lookup (cookies, "cockpit")); if (cookie == NULL) return NULL; @@ -706,7 +706,7 @@ cockpit_auth_login_finish (CockpitAuth *self, if (out_headers) { cookie_b64 = g_base64_encode ((guint8 *)authenticated->cookie, strlen (authenticated->cookie)); - header = g_strdup_printf ("CockpitAuth=%s; Path=/; %s HttpOnly", + header = g_strdup_printf ("cockpit=%s; Path=/; %s HttpOnly", cookie_b64, force_secure ? " Secure;" : ""); g_free (cookie_b64); g_hash_table_insert (out_headers, g_strdup ("Set-Cookie"), header);