[pbs-devel] [PATCH proxmox{,-backup} 0/4] HttpOnly follow-ups
Shannon Sterz
s.sterz at proxmox.com
Fri Jul 25 13:23:53 CEST 2025
this small series tries to smooth out the transition to HttpOnly cookies
for our users:
- cookies are now removed by the server if a 401 UNAUTHORIZED error is
encountered. this matches the behaviour of our previous javascript
browser-based clients. it is necessary, as they can't remove the
cookie themselves anymore due to the new security measures.
- log-in is possible again, even if an invalid HttpOnly cookie is
provided.
- `Expire` is removed from the cookies to make them "session cookies"
again. this should restore security assumptions some users may have
made about closing their browser and being logged out. note that
session cookies may still be restored after a browser was closed, if
the browser uses session restoration.
proxmox:
Shannon Sterz (3):
rest-server: remove auth cookies via http header on unauthorized
request
auth-api: don't set `Expire` for HttpOnly cookies anymore
auth-api: allow log-in via parameters even if HttpOnly cookie is
invalid
proxmox-auth-api/src/api/access.rs | 67 +++++++++++++++------------
proxmox-auth-api/src/types.rs | 2 +-
proxmox-rest-server/src/api_config.rs | 9 ++++
proxmox-rest-server/src/rest.rs | 25 +++++++++-
4 files changed, 71 insertions(+), 32 deletions(-)
proxmox-backup:
Shannon Sterz (1):
api/proxy: set auth cookie name in rest server api config
src/auth.rs | 10 +++++++++-
src/auth_helpers.rs | 1 +
src/bin/proxmox-backup-api.rs | 1 +
src/bin/proxmox-backup-proxy.rs | 1 +
4 files changed, 12 insertions(+), 1 deletion(-)
Summary over all repositories:
8 files changed, 83 insertions(+), 33 deletions(-)
--
Generated by git-murpp 0.8.1
More information about the pbs-devel
mailing list