Opened 14 years ago
Closed 12 years ago
#2316 closed Bug (invalid)
Web Interface - Authentication not being required!
| Reported by: | Sesquipedalian | Owned by: | kjg |
|---|---|---|---|
| Priority: | Normal | Milestone: | None Set |
| Component: | Web Client | Version: | 2.04 |
| Severity: | Normal | Keywords: | security, web, password, authentication |
| Cc: |
Description
I have Transmission's web interface enabled, and have it set to require authentication. However, when connecting to the web interface over the Internet, authentication is not being asked for. The web interface just happily gives me full access without even prompting for a password.
This is not good, as far a security goes!
I'm on a Mac, using version 1.73.
Change History (14)
comment:1 Changed 14 years ago by wereHamster
comment:2 Changed 14 years ago by charles
I can't reproduce this either.
comment:3 Changed 14 years ago by kjg
- Priority changed from Highest to Normal
- Resolution set to worksforme
- Status changed from new to closed
comment:4 Changed 14 years ago by livings124
I too cannot reproduce this.
comment:5 Changed 14 years ago by cfpp2p
I CAN reproduce. If the browser IS left OPEN, even if cache totally cleared authentication is NOT required. BUT if just close browser then reopen browser then you WILL need authentication. So just close the browser an no problems...
comment:6 Changed 14 years ago by wereHamster
Keep in mind that T uses http authentication and not cookies, so clearing the cache does not clear the saved auth credentials. The web interface doesn't offer a logout button yet (and I'm not aware of any plans to do so), so for the time being, simply close the browser window.
comment:7 Changed 13 years ago by drakulavich
- Resolution worksforme deleted
- Status changed from closed to reopened
- Version changed from 1.73 to 2.04
Have the same bug in transmission 2.04.
comment:8 follow-up: ↓ 9 Changed 13 years ago by charles
I can't reproduce. Are you sure your browser isn't remembering the password for you?
comment:9 in reply to: ↑ 8 Changed 13 years ago by drakulavich
Replying to charles:
I can't reproduce. Are you sure your browser isn't remembering the password for you?
Absolutely. 2 computers and androidphone's browser confirmed this bug.
comment:10 follow-up: ↓ 11 Changed 13 years ago by charles
drakulavich: are you running the daemon, or mac client, or gtk/qt client?
comment:11 in reply to: ↑ 10 Changed 13 years ago by drakulavich
Replying to charles:
drakulavich: are you running the daemon, or mac client, or gtk/qt client?
Only daemon.
comment:12 Changed 12 years ago by charles
Okay. Now, three more questions:
(1) How are you starting the daemon? Are you doing it by hand from the command line?
(2) Could you show here the *exact* command line you're using to invoke the daemon?
(3) Could you try running the *exact* same command that you used before, but add --dump-settings to the end of it, and attach here transmission-daemon's output from running that command?
comment:13 Changed 12 years ago by drakulavich
I'm a fool. Sorry for the trouble. I forgot to kill daemon before edite settings.json with option "rpc-authentication-required".
comment:14 Changed 12 years ago by charles
- Resolution set to invalid
- Status changed from reopened to closed
Thanks for reporting back. Don't feel bad about user error -- it happens to everyone. What sets you apart is that you were man enough to report back. Good job.
I can't reproduce. Are you sure your browser isn't remembering the password for you?