Opened 12 years ago

Closed 11 years ago

#2316 closed Bug (invalid)

Web Interface - Authentication not being required!

Reported by: Sesquipedalian Owned by: kjg
Priority: Normal Milestone: None Set
Component: Web Client Version: 2.04
Severity: Normal Keywords: security, web, password, authentication
Cc:

Description

I have Transmission's web interface enabled, and have it set to require authentication. However, when connecting to the web interface over the Internet, authentication is not being asked for. The web interface just happily gives me full access without even prompting for a password.

This is not good, as far a security goes!

I'm on a Mac, using version 1.73.

Change History (14)

comment:1 Changed 12 years ago by wereHamster

I can't reproduce. Are you sure your browser isn't remembering the password for you?

comment:2 Changed 12 years ago by charles

I can't reproduce this either.

comment:3 Changed 12 years ago by kjg

  • Priority changed from Highest to Normal
  • Resolution set to worksforme
  • Status changed from new to closed

comment:4 Changed 12 years ago by livings124

I too cannot reproduce this.

comment:5 Changed 12 years ago by cfpp2p

I CAN reproduce. If the browser IS left OPEN, even if cache totally cleared authentication is NOT required. BUT if just close browser then reopen browser then you WILL need authentication. So just close the browser an no problems...

comment:6 Changed 12 years ago by wereHamster

Keep in mind that T uses http authentication and not cookies, so clearing the cache does not clear the saved auth credentials. The web interface doesn't offer a logout button yet (and I'm not aware of any plans to do so), so for the time being, simply close the browser window.

comment:7 Changed 11 years ago by drakulavich

  • Resolution worksforme deleted
  • Status changed from closed to reopened
  • Version changed from 1.73 to 2.04

Have the same bug in transmission 2.04.

comment:8 follow-up: Changed 11 years ago by charles

I can't reproduce. Are you sure your browser isn't remembering the password for you?

comment:9 in reply to: ↑ 8 Changed 11 years ago by drakulavich

Replying to charles:

I can't reproduce. Are you sure your browser isn't remembering the password for you?

Absolutely. 2 computers and androidphone's browser confirmed this bug.

comment:10 follow-up: Changed 11 years ago by charles

drakulavich: are you running the daemon, or mac client, or gtk/qt client?

comment:11 in reply to: ↑ 10 Changed 11 years ago by drakulavich

Replying to charles:

drakulavich: are you running the daemon, or mac client, or gtk/qt client?

Only daemon.

comment:12 Changed 11 years ago by charles

Okay. Now, three more questions:

(1) How are you starting the daemon? Are you doing it by hand from the command line?

(2) Could you show here the *exact* command line you're using to invoke the daemon?

(3) Could you try running the *exact* same command that you used before, but add --dump-settings to the end of it, and attach here transmission-daemon's output from running that command?

comment:13 Changed 11 years ago by drakulavich

I'm a fool. Sorry for the trouble. I forgot to kill daemon before edite settings.json with option "rpc-authentication-required".

comment:14 Changed 11 years ago by charles

  • Resolution set to invalid
  • Status changed from reopened to closed

Thanks for reporting back. Don't feel bad about user error -- it happens to everyone. What sets you apart is that you were man enough to report back. Good job.

Note: See TracTickets for help on using tickets.