New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

autologin feature incompatible with nginx + apache deployment #65

Closed
cojocar opened this Issue Sep 25, 2014 · 3 comments

Comments

Projects
None yet
3 participants
@cojocar
Copy link
Contributor

cojocar commented Sep 25, 2014

For certain deployments (apache server as a proxy behind nginx), the request will always come from localhost. Anyone can "autologin" with any username.

@cojocar cojocar added this to the meteor-ui milestone Sep 25, 2014

@cojocar cojocar added the security label Sep 25, 2014

@valenting

This comment has been minimized.

Copy link
Contributor

valenting commented Sep 25, 2014

I think you're right. It was supposed to just be a way of getting a session cookie. We can probably find another way to do that.

@calin-iorgulescu

This comment has been minimized.

Copy link
Contributor

calin-iorgulescu commented Feb 6, 2015

Since #72 , sessions can be persistent. This should, theoretically, reduce the need to login that often when doing development. If you think this suffices, maybe we could remove autologin().

@valenting

This comment has been minimized.

Copy link
Contributor

valenting commented Feb 9, 2015

Great work, @calin-iorgulescu !
Yes, we can probably remove autologin. Don't worry about the meteor UI, I'll try to fix it soon enugh.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment