diff options
| author | Ed Tanous <ed@tanous.net> | 2024-04-20 03:22:43 +0300 |
|---|---|---|
| committer | Ed Tanous <ed@tanous.net> | 2024-04-26 09:06:39 +0300 |
| commit | 9f217c26f58c0a99c18e7cac7b095dcf6068562d (patch) | |
| tree | 8fa60e8efd6d70d2efefd5399862a1f5d914e232 /redfish-core | |
| parent | 98df875b683ef4bc3b1be46300db67f35d11bac3 (diff) | |
| download | bmcweb-9f217c26f58c0a99c18e7cac7b095dcf6068562d.tar.xz | |
Make cookie auth check all headers
Currently, the Cookie auth only checks the first cookie header in a
request. This works fine for most things, because a lot of
implementations (browsers) seem to either put the Cookie headers in
alphabetical order, or put them in the order in which they were stored
which in the case of bmcweb, is also alphabetical.
Well, http2 blows this up, because cookies could potentially be in any
order, given the hpack compression techniques, so there's no promise
that Cookie[0] is the Session cookie.
This commit reworks the authentication code to call beasts "equal_range"
getter, which returns the range of all headers that matched. This
allows us to attempt to parse the cookies in whatever order they might
have been received.
The auth routine only tries to log in the first cookie matching
SESSION=, and do not try to handle duplicates, as this might allow
attackers to negate the anti brute force measures by testing multiple
passwords at once
Tested:
With http2 enabled, the UI can now log in more consistently, and in
addition, the HTML redfish pages function more consistently when using
cookie auth.
Redfish service validator passes.
Change-Id: I3a61a5a654f62096ff19cfbfaf0a10f30a1a3605
Signed-off-by: Ed Tanous <ed@tanous.net>
Diffstat (limited to 'redfish-core')
0 files changed, 0 insertions, 0 deletions