This is a snapshot of Indico's old Trac site. Any information contained herein is most probably outdated. Access our new GitHub site here.

Opened 20 months ago

Closed 19 months ago

Last modified 19 months ago

#1494 closed defect (fixed)

Auto-login from http:// URLs fails when modification key set

Reported by: pferreir Owned by: jmonnich
Priority: high Milestone: v1.2
Component: Security Version: 1.1
Keywords: Cc:

Description

Steps to reproduce:

  1. Log in to indico normally
  2. Create an event that is protected and has a modification key
  3. Copy the event URL
  4. Open the event URL, replacing http with https
  5. You're shown the modification key dialog

What should happend

You should be automatically shown the page as, after all, you are already logged in.

This happens because auth cookies don't get send over plain HTTP. Maybe we should always redirect to the HTTPS version of the modification key dialog? That way we could already auto-login the user.

Change History (3)

comment:1 Changed 20 months ago by jmonnich

  • Owner set to jmonnich
  • Status changed from new to assigned

comment:2 Changed 19 months ago by jmonnich

  • Resolution set to fixed
  • Status changed from assigned to closed

comment:3 Changed 19 months ago by Adrian Moennich <adrian.moennich@…>

In c4786ea40b3a1c29704fd34236f9abd3f20c2194/indico:

[FIX] http autologin if event has modification key

fixes #1494

Note: See TracTickets for help on using tickets.