[pve-devel] [RFC PATCH http-server 0/1] allow ticket in auth header as fallback

Tim Marx t.marx at proxmox.com
Fri Aug 30 14:12:30 CEST 2019

This patch makes it possible to pass the PVETicket inside the HTTP Authorization
header as second option to the traditional cookie approach. Cookies can only be
set by using the browser apis e.g. document.cookie, a client is not allowed to
set a cookie header on a request object manually as long as it is in a browser
context. To simplfy this you can now pass the received ticket inside the
Authorization header on subsequent requests which should work regardless of the
context. This should as well free anyone to think about how the browser handles
the cookie, e.g. session restore etc.

The new "extract_ticket_from_auth_header" is almost identical to the old one.
The only difference for now is a space instead of "=" between the type and the
actual token, because this is the common way when using the Authorization header

Tim Marx (1):
  allow ticket in auth header as fallback

 PVE/APIServer/AnyEvent.pm  |  5 +++++
 PVE/APIServer/Formatter.pm | 12 ++++++++++++
 2 files changed, 17 insertions(+)

 PVE/Service/pveproxy.pm | 7 +++++++
 1 file changed, 7 insertions(+)

More information about the pve-devel mailing list