[pbs-devel] [PATCH proxmox-backup v2 2/3] ui: opt into the new HttpOnly ticket authentication flow
Shannon Sterz
s.sterz at proxmox.com
Wed Jul 23 17:14:00 CEST 2025
this should add additional protections for cookie stealing and xss
attacks. it also makes it harder to overwrite the cookie from
malicious subdomains.
Signed-off-by: Shannon Sterz <s.sterz at proxmox.com>
Tested-by: Mira Limbeck <m.limbeck at proxmox.com>
Tested-by: Maximiliano Sandoval <m.sandoval at proxmox.com>
---
changes since v1:
- minor lint fix-up where a trailing "," was missing in the second
proxmox-backup patch
- consistently use "HttpOnly" instead of switching between "http only",
"http-only" and "HttpOnly" in comments and user facing documentation,
thanks @ Mira Limbeck
www/Application.js | 12 +++++++++++-
www/LoginView.js | 4 +++-
www/MainView.js | 1 +
www/Utils.js | 6 ++++++
4 files changed, 21 insertions(+), 2 deletions(-)
diff --git a/www/Application.js b/www/Application.js
index 9e223522..e82ccdd0 100644
--- a/www/Application.js
+++ b/www/Application.js
@@ -18,7 +18,17 @@ Ext.define('PBS.Application', {
logout: function () {
var me = this;
Proxmox.Utils.authClear();
- me.changeView('loginview', true);
+ Proxmox.Utils.API2Request({
+ url: '/api2/extjs/access/ticket',
+ method: 'DELETE',
+ success: function () {
+ me.changeView('loginview', true);
+ },
+ failure: function ({ response }) {
+ // logout failed
+ console.error('could not log out', response);
+ },
+ });
},
changeView: function (view, skipCheck) {
diff --git a/www/LoginView.js b/www/LoginView.js
index a7764e5b..9c1ac38a 100644
--- a/www/LoginView.js
+++ b/www/LoginView.js
@@ -86,6 +86,8 @@ Ext.define('PBS.LoginView', {
}
sp.set(saveunField.getStateId(), saveunField.getValue());
+ creds['http-only'] = true;
+
try {
let resp = await Proxmox.Async.api2({
url: '/api2/extjs/access/ticket',
@@ -94,7 +96,7 @@ Ext.define('PBS.LoginView', {
});
let data = resp.result.data;
- if (data.ticket.startsWith('PBS:!tfa!')) {
+ if (data.ticket?.startsWith('PBS:!tfa!')) {
data = await me.performTFAChallenge(data);
}
diff --git a/www/MainView.js b/www/MainView.js
index b5ae3605..70adfbce 100644
--- a/www/MainView.js
+++ b/www/MainView.js
@@ -172,6 +172,7 @@ Ext.define('PBS.MainView', {
params: {
username: Proxmox.UserName,
password: ticket,
+ 'http-only': true,
},
url: '/api2/json/access/ticket',
method: 'POST',
diff --git a/www/Utils.js b/www/Utils.js
index 7fcf60e6..ccdae522 100644
--- a/www/Utils.js
+++ b/www/Utils.js
@@ -8,6 +8,12 @@ Ext.define('PBS.Utils', {
missingText: gettext('missing'),
updateLoginData: function (data) {
+ if (data['ticket-info']) {
+ // we received a HttpOnly ticket response, the actual cookie is handled by the browser.
+ // set the ticket field to use the information from `ticket-info`
+ data.ticket = data['ticket-info'];
+ }
+
Proxmox.Utils.setAuthData(data);
},
--
2.47.2
More information about the pbs-devel
mailing list