diff options
| author | Ed Tanous <edtanous@google.com> | 2023-06-06 23:37:03 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2023-06-09 22:14:04 +0300 |
| commit | 994fd86a3f6649a820f66313765e85e762ad105a (patch) | |
| tree | 735fd2c3b5094568115c62f563e1356858c94ddd /include/authentication.hpp | |
| parent | 08bbe1199f02d09f908cd3adcf4329e4bd67fd52 (diff) | |
| download | bmcweb-994fd86a3f6649a820f66313765e85e762ad105a.tar.xz | |
Fix hack on Set-Cookie
This is one that I couldn't figure out for a while. Turns out that
fields has both a set() and an insert() method. Whereas set() replaces,
insert() appends, which is what we want in this case.
This allows us to call the actual methods several times, instead of
essentially string injecting our own code, which should make it clearer.
At the same time, there was one unit test that was structured such that
it was using addHeader to clear a header, so this commit adds an
explicit "clearHeader()" method, so we can be explicit.
Tested:
Logging into the webui in chrome (which uses POST /login) shows:
401 with no cookie header if the incorrect password is used
200 with 2 Set-Cookie headers set:
Set-Cookie:
SESSION=<session tag>; SameSite=Strict; Secure; HttpOnly
Set-Cookie:
XSRF-TOKEN=<token tag>; SameSite=Strict; Secure
Change-Id: I9b87a48ea6ba892fc08e66940563dea86edb9a65
Signed-off-by: Ed Tanous <edtanous@google.com>
Diffstat (limited to 'include/authentication.hpp')
| -rw-r--r-- | include/authentication.hpp | 12 |
1 files changed, 7 insertions, 5 deletions
diff --git a/include/authentication.hpp b/include/authentication.hpp index 4897c0e529..0e5e88060a 100644 --- a/include/authentication.hpp +++ b/include/authentication.hpp @@ -199,12 +199,14 @@ static std::shared_ptr<persistent_data::UserSession> return sp; } // TODO: change this to not switch to cookie auth - res.addHeader("Set-Cookie", + res.addHeader(boost::beast::http::field::set_cookie, "XSRF-TOKEN=" + sp->csrfToken + - "; SameSite=Strict; Secure\r\nSet-Cookie: SESSION=" + - sp->sessionToken + - "; SameSite=Strict; Secure; HttpOnly\r\nSet-Cookie: " - "IsAuthenticated=true; Secure"); + "; SameSite=Strict; Secure"); + res.addHeader(boost::beast::http::field::set_cookie, + "SESSION=" + sp->sessionToken + + "; SameSite=Strict; Secure; HttpOnly"); + res.addHeader(boost::beast::http::field::set_cookie, + "IsAuthenticated=true; Secure"); BMCWEB_LOG_DEBUG << " TLS session: " << sp->uniqueId << " with cookie will be used for this request."; return sp; |