[pbs-devel] [PATCH proxmox{,-backup} 0/4] HttpOnly follow-ups
Shannon Sterz
s.sterz at proxmox.com
Fri Jul 25 13:24:52 CEST 2025
On Fri Jul 25, 2025 at 1:23 PM CEST, Shannon Sterz wrote:
> this small series tries to smooth out the transition to HttpOnly cookies
> for our users:
>
> - cookies are now removed by the server if a 401 UNAUTHORIZED error is
> encountered. this matches the behaviour of our previous javascript
> browser-based clients. it is necessary, as they can't remove the
> cookie themselves anymore due to the new security measures.
> - log-in is possible again, even if an invalid HttpOnly cookie is
> provided.
> - `Expire` is removed from the cookies to make them "session cookies"
> again. this should restore security assumptions some users may have
> made about closing their browser and being logged out. note that
> session cookies may still be restored after a browser was closed, if
> the browser uses session restoration.
>
> proxmox:
>
> Shannon Sterz (3):
> rest-server: remove auth cookies via http header on unauthorized
> request
> auth-api: don't set `Expire` for HttpOnly cookies anymore
> auth-api: allow log-in via parameters even if HttpOnly cookie is
> invalid
>
> proxmox-auth-api/src/api/access.rs | 67 +++++++++++++++------------
> proxmox-auth-api/src/types.rs | 2 +-
> proxmox-rest-server/src/api_config.rs | 9 ++++
> proxmox-rest-server/src/rest.rs | 25 +++++++++-
> 4 files changed, 71 insertions(+), 32 deletions(-)
>
>
> proxmox-backup:
>
> Shannon Sterz (1):
> api/proxy: set auth cookie name in rest server api config
>
> src/auth.rs | 10 +++++++++-
> src/auth_helpers.rs | 1 +
> src/bin/proxmox-backup-api.rs | 1 +
> src/bin/proxmox-backup-proxy.rs | 1 +
> 4 files changed, 12 insertions(+), 1 deletion(-)
>
>
> Summary over all repositories:
> 8 files changed, 83 insertions(+), 33 deletions(-)
>
> --
> Generated by git-murpp 0.8.1
sorry for sending this a second time, was a bit too quick with `git
send-email`
More information about the pbs-devel
mailing list