Volker Theile
Volker Theile
Fixed in `OMV6`.
> I'm not terribly familiar with the structure of this project, but if I understand correctly, as of #1265 Caddy is used as a reverse proxy for SSL termination on...
> I see, thank you for clarifying! I am still interested in working on this... but I will need to sit down and read through the way login is currently...
> > JWT is a long planned feature, but there are no small PHP libraries > > From an earlier (unrelated) conversation I was under the impression that current PHP...
Have you tested Chrome? A user reported the same issue with Firefox, but was able to login using Chrome. https://forum.openmediavault.org/index.php?thread/37442-firefox-login-loop/
The issue looks like the same like https://github.com/openmediavault/openmediavault/issues/864. The user reported that the desktop Firefox works, but Android browser fails.
Here are the relevant parts: * https://github.com/openmediavault/openmediavault/blob/master/deb/openmediavault/var/www/openmediavault/rpc/session.inc#L48 * https://github.com/openmediavault/openmediavault/blob/master/deb/openmediavault/usr/share/openmediavault/engined/rpc/usermgmt.inc#L72 * https://github.com/openmediavault/openmediavault/blob/master/deb/openmediavault/var/www/openmediavault/js/omv/window/Login.js#L143 * https://github.com/openmediavault/openmediavault/blob/master/deb/openmediavault/var/www/openmediavault/index.php#L37 The UI executes a RPC to authenticate the user. After that index.html decides whether to render the...
> `crypt(username, hashedUsername)` is used generate the username hash, that is compared with a hash generated instead using `password_hash(username, PASSWORD_DEFAULT)`. Different salts probably, potentially different algorithms. It also looks like...
Using ``` $hashedUsername = urldecode($matches[1]); if (password_verify($params['username'], $hashedUsername)) { $firstLogIn = FALSE; break; } ``` looks better to me. I think `password_verify` was not available at the time the code...
> **I can reproduce it and control it !!** The PHP session cookie has `samesite: strict`, and this _sometimes_ prevents the cookie to be sent back. When instead I configure...