Fossil SCM

Do not use the IP address as part of the login cookie if the server is set to redirect all HTTP requests over to HTTPS.

drh 2020-03-27 15:37 trunk

Commit ce4bece94608e13e791484d41bc741a3175130631ec72eeee80d9f9e564e06c0

Parent a5d6567ea6ad0cb…

2 files changed +5 -1 +4 -1

M src/login.c

+5 -1

		--- src/login.c
		+++ src/login.c
		@@ -121,11 +121,15 @@
121	121	*/
122	122	static char ipPrefix(const char zIP){
123	123	int i, j;
124	124	static int ip_prefix_terms = -1;
125	125	if( ip_prefix_terms<0 ){
126		- ip_prefix_terms = db_get_int("ip-prefix-terms",2);
	126	+ if( db_get_int("redirect-to-https",0)>=2 ){
	127	+ ip_prefix_terms = 0;
	128	+ }else{
	129	+ ip_prefix_terms = db_get_int("ip-prefix-terms",2);
	130	+ }
127	131	}
128	132	if( ip_prefix_terms==0 ) return mprintf("0");
129	133	for(i=j=0; zIP[i]; i++){
130	134	if( zIP[i]=='.' ){
131	135	j++;
132	136

	--- src/login.c
	+++ src/login.c
	@@ -121,11 +121,15 @@
121	*/
122	static char ipPrefix(const char zIP){
123	int i, j;
124	static int ip_prefix_terms = -1;
125	if( ip_prefix_terms<0 ){
126	ip_prefix_terms = db_get_int("ip-prefix-terms",2);




127	}
128	if( ip_prefix_terms==0 ) return mprintf("0");
129	for(i=j=0; zIP[i]; i++){
130	if( zIP[i]=='.' ){
131	j++;
132

	--- src/login.c
	+++ src/login.c
	@@ -121,11 +121,15 @@
121	*/
122	static char ipPrefix(const char zIP){
123	int i, j;
124	static int ip_prefix_terms = -1;
125	if( ip_prefix_terms<0 ){
126	if( db_get_int("redirect-to-https",0)>=2 ){
127	ip_prefix_terms = 0;
128	}else{
129	ip_prefix_terms = db_get_int("ip-prefix-terms",2);
130	}
131	}
132	if( ip_prefix_terms==0 ) return mprintf("0");
133	for(i=j=0; zIP[i]; i++){
134	if( zIP[i]=='.' ){
135	j++;
136

M src/setup.c

+4 -1

		--- src/setup.c
		+++ src/setup.c
		@@ -405,13 +405,16 @@
405	405	@ </p>
406	406	@
407	407	@ <hr />
408	408	entry_attribute("IP address terms used in login cookie", 3,
409	409	"ip-prefix-terms", "ipt", "2", 0);
410		- @ <p>The number of octets of of the IP address used in the login cookie.
	410	+ @ <p>The number of octets of of the IP address used in the login cookie
	411	+ @ when using unencrypted HTTP instead of HTTPS.
411	412	@ Set to zero to omit the IP address from the login cookie. A value of
412	413	@ 2 is recommended.
	414	+ @ If the "Redirect to HTTP" above is set to "Always", then the IP address
	415	+ @ is not used in the login cookie and this setting is irrelevant.
413	416	@ (Property: "ip-prefix-terms")
414	417	@ </p>
415	418	@
416	419	@ <hr />
417	420	entry_attribute("Login expiration time", 6, "cookie-expire", "cex",
418	421

	--- src/setup.c
	+++ src/setup.c
	@@ -405,13 +405,16 @@
405	@ </p>
406	@
407	@ <hr />
408	entry_attribute("IP address terms used in login cookie", 3,
409	"ip-prefix-terms", "ipt", "2", 0);
410	@ <p>The number of octets of of the IP address used in the login cookie.

411	@ Set to zero to omit the IP address from the login cookie. A value of
412	@ 2 is recommended.


413	@ (Property: "ip-prefix-terms")
414	@ </p>
415	@
416	@ <hr />
417	entry_attribute("Login expiration time", 6, "cookie-expire", "cex",
418

	--- src/setup.c
	+++ src/setup.c
	@@ -405,13 +405,16 @@
405	@ </p>
406	@
407	@ <hr />
408	entry_attribute("IP address terms used in login cookie", 3,
409	"ip-prefix-terms", "ipt", "2", 0);
410	@ <p>The number of octets of of the IP address used in the login cookie
411	@ when using unencrypted HTTP instead of HTTPS.
412	@ Set to zero to omit the IP address from the login cookie. A value of
413	@ 2 is recommended.
414	@ If the "Redirect to HTTP" above is set to "Always", then the IP address
415	@ is not used in the login cookie and this setting is irrelevant.
416	@ (Property: "ip-prefix-terms")
417	@ </p>
418	@
419	@ <hr />
420	entry_attribute("Login expiration time", 6, "cookie-expire", "cex",
421