View Ticket
Not logged in
HomeTimelineBranchesTagsTicketsWikiLogin
Plaintext
Ticket UUID: 573727d6d93badc681bd957a8e0945b3d053d487
Title: Default disallow local local users
Status: Fixed Type: Feature_Request
Severity: Important Priority:
Subsystem: Resolution: Fixed
Last Modified: 2011-02-22 20:30:57
Version Found In:
Description & Comments:
When using nginx to proxy back to a fossil repo, it's easy to either uncheck once in production or leave unchecked to start. Not unsolvable, but it would be ideal to have "Require password for local access" checked by default or removed all together in favor of the following behavior.

I understand that option is there to facilitate local logins via "fs ui" but it seems like a better alternative would be to make "fs ui" perform the following:

  1. User calls fs ui from the command line
  2. fs ui injects a valid one-time use token in to the sessions table
  3. fs ui then calls web-browser with something like http://127.0.0.1:8080/my_repo/auto-login?token=abcdef0123456789abcdef0123456789 which issues the user a login cookie and removes the one-time use token from the database

This step would go a long ways towards a "secure by default" policy for Fossil.

Fossil version [4df919803b] 2020-05-25 23:23:49