[pbs-devel] applied: [PATCH proxmox{, -backup} 0/4] HttpOnly follow-ups
Thomas Lamprecht
t.lamprecht at proxmox.com
Mon Jul 28 14:56:30 CEST 2025
On Fri, 25 Jul 2025 13:23:53 +0200, Shannon Sterz wrote:
> this small series tries to smooth out the transition to HttpOnly cookies
> for our users:
>
> - cookies are now removed by the server if a 401 UNAUTHORIZED error is
> encountered. this matches the behaviour of our previous javascript
> browser-based clients. it is necessary, as they can't remove the
> cookie themselves anymore due to the new security measures.
> - log-in is possible again, even if an invalid HttpOnly cookie is
> provided.
> - `Expire` is removed from the cookies to make them "session cookies"
> again. this should restore security assumptions some users may have
> made about closing their browser and being logged out. note that
> session cookies may still be restored after a browser was closed, if
> the browser uses session restoration.
>
> [...]
As you already noticed:
Applied, thanks!
[1/1] api/proxy: set auth cookie name in rest server api config
commit: 8f4e455550e470a670f139d6124a00887962122c
[1/3] rest-server: remove auth cookies via http header on unauthorized request
commit: 4ef6a1c012a5e32d3059731094c31864ddd3fa78
[2/3] auth-api: don't set `Expire` for HttpOnly cookies anymore
commit: f45eb2934c484b652e8b3676b508d0ea1e9142d6
[3/3] auth-api: allow log-in via parameters even if HttpOnly cookie is invalid
commit: 2c0b5edda2f778837c4d2eb8a259a04c3dca8ebd
More information about the pbs-devel
mailing list