Check-in [ce4bece946]
Not logged in
Home Timeline Branches Tags Tickets Wiki Login

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Do not use the IP address as part of the login cookie if the server is set to redirect all HTTP requests over to HTTPS.
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA3-256: ce4bece94608e13e791484d41bc741a3175130631ec72eeee80d9f9e564e06c0
User & Date: drh 2020-03-27 15:37:21.051
Context
2020-03-27
22:23
Add the ability to purge old pending subscriptions from the /subscribers page. check-in: 8c40c38f5e user: drh tags: trunk
15:37
Do not use the IP address as part of the login cookie if the server is set to redirect all HTTP requests over to HTTPS. check-in: ce4bece946 user: drh tags: trunk
15:19
Fix an accidental fork. check-in: a5d6567ea6 user: drh tags: trunk
Changes
Unified Diff Ignore Whitespace Patch
Changes to src/login.c. 
119
120
121
122
123
124
125



126

127
128
129
130
131
132
133

** with each HTTP request.  To allow such (broken) clients to log in,
** extract just a prefix of the IP address.
*/
static char *ipPrefix(const char *zIP){
  int i, j;
  static int ip_prefix_terms = -1;
  if( ip_prefix_terms<0 ){



    ip_prefix_terms = db_get_int("ip-prefix-terms",2);

  }
  if( ip_prefix_terms==0 ) return mprintf("0");
  for(i=j=0; zIP[i]; i++){
    if( zIP[i]=='.' ){
      j++;
      if( j==ip_prefix_terms ) break;
    }








>
>
>
|
>








119
120
121
122
123
124
125
126
127
128
129
130
131
132
133
134
135
136
137

** with each HTTP request.  To allow such (broken) clients to log in,
** extract just a prefix of the IP address.
*/
static char *ipPrefix(const char *zIP){
  int i, j;
  static int ip_prefix_terms = -1;
  if( ip_prefix_terms<0 ){
    if( db_get_int("redirect-to-https",0)>=2 ){
      ip_prefix_terms = 0;
    }else{
      ip_prefix_terms = db_get_int("ip-prefix-terms",2);
    }
  }
  if( ip_prefix_terms==0 ) return mprintf("0");
  for(i=j=0; zIP[i]; i++){
    if( zIP[i]=='.' ){
      j++;
      if( j==ip_prefix_terms ) break;
    }
Changes to src/setup.c. 
403
404
405
406
407
408
409
410

411
412


413
414
415
416
417
418
419

  @ password. This is another way of supporting Basic Authenitication.
  @ (Property: "http_authentication_ok")
  @ </p>
  @
  @ <hr />
  entry_attribute("IP address terms used in login cookie", 3,
                  "ip-prefix-terms", "ipt", "2", 0);
  @ <p>The number of octets of of the IP address used in the login cookie.

  @ Set to zero to omit the IP address from the login cookie.  A value of
  @ 2 is recommended.


  @ (Property: "ip-prefix-terms")
  @ </p>
  @
  @ <hr />
  entry_attribute("Login expiration time", 6, "cookie-expire", "cex",
                  "8766", 0);
  @ <p>The number of hours for which a login is valid.  This must be a








|
>


>
>








403
404
405
406
407
408
409
410
411
412
413
414
415
416
417
418
419
420
421
422

  @ password. This is another way of supporting Basic Authenitication.
  @ (Property: "http_authentication_ok")
  @ </p>
  @
  @ <hr />
  entry_attribute("IP address terms used in login cookie", 3,
                  "ip-prefix-terms", "ipt", "2", 0);
  @ <p>The number of octets of of the IP address used in the login cookie
  @ when using unencrypted HTTP instead of HTTPS.
  @ Set to zero to omit the IP address from the login cookie.  A value of
  @ 2 is recommended.
  @ If the "Redirect to HTTP" above is set to "Always", then the IP address
  @ is not used in the login cookie and this setting is irrelevant.
  @ (Property: "ip-prefix-terms")
  @ </p>
  @
  @ <hr />
  entry_attribute("Login expiration time", 6, "cookie-expire", "cex",
                  "8766", 0);
  @ <p>The number of hours for which a login is valid.  This must be a
Fossil version [1205ec86cb] 2025-04-30 16:57:32