From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <pbs-devel-bounces@lists.proxmox.com>
Received: from firstgate.proxmox.com (firstgate.proxmox.com [IPv6:2a01:7e0:0:424::9])
	by lore.proxmox.com (Postfix) with ESMTPS id 263331FF15C
	for <inbox@lore.proxmox.com>; Fri, 25 Jul 2025 13:20:16 +0200 (CEST)
Received: from firstgate.proxmox.com (localhost [127.0.0.1])
	by firstgate.proxmox.com (Proxmox) with ESMTP id 48A87165D9;
	Fri, 25 Jul 2025 13:21:37 +0200 (CEST)
From: Shannon Sterz <s.sterz@proxmox.com>
To: pbs-devel@lists.proxmox.com
Date: Fri, 25 Jul 2025 13:20:17 +0200
Message-ID: <20250725112019.245838-3-s.sterz@proxmox.com>
X-Mailer: git-send-email 2.47.2
In-Reply-To: <20250725112019.245838-1-s.sterz@proxmox.com>
References: <20250725112019.245838-1-s.sterz@proxmox.com>
MIME-Version: 1.0
X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2
X-Bm-Transport-Timestamp: 1753442459580
X-SPAM-LEVEL: Spam detection results:  0
 AWL 0.022 Adjusted score from AWL reputation of From: address
 BAYES_00                 -1.9 Bayes spam probability is 0 to 1%
 DMARC_MISSING             0.1 Missing DMARC policy
 KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment
 SPF_HELO_NONE           0.001 SPF: HELO does not publish an SPF Record
 SPF_PASS               -0.001 SPF: sender matches SPF record
Subject: [pbs-devel] [PATCH proxmox 2/3] auth-api: don't set `Expire` for
 HttpOnly cookies anymore
X-BeenThere: pbs-devel@lists.proxmox.com
X-Mailman-Version: 2.1.29
Precedence: list
List-Id: Proxmox Backup Server development discussion
 <pbs-devel.lists.proxmox.com>
List-Unsubscribe: <https://lists.proxmox.com/cgi-bin/mailman/options/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=unsubscribe>
List-Archive: <http://lists.proxmox.com/pipermail/pbs-devel/>
List-Post: <mailto:pbs-devel@lists.proxmox.com>
List-Help: <mailto:pbs-devel-request@lists.proxmox.com?subject=help>
List-Subscribe: <https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel>, 
 <mailto:pbs-devel-request@lists.proxmox.com?subject=subscribe>
Reply-To: Proxmox Backup Server development discussion
 <pbs-devel@lists.proxmox.com>
Content-Type: text/plain; charset="us-ascii"
Content-Transfer-Encoding: 7bit
Errors-To: pbs-devel-bounces@lists.proxmox.com
Sender: "pbs-devel" <pbs-devel-bounces@lists.proxmox.com>

previously users may have assumed that closing a browser will log them
out. this usually worked (see note below), as we defined the cookies
as "session cookies" by not setting `Expire` or `Max-Age`. clients
should remove such cookies when they are closed.

by setting `Expire` we broke this assumption as now browsers would
keep the cookie in place, even when closed, until they expired.

note: some browsers may never have behaved as expected here. a lot of
modern browsers have a "session restore" feature that would simply
restore such cookies when the session was restored. see also the
warning over in the mdn docs for `Set-Cookie` [1].

in any case, the tickets within the cookies were always valid for two
hours as we don't "revoke" tickets before they expire.

[1]:
https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#expiresdate

Reported-By: Dominik Csapak <d.csapak@proxmox.com>
Suggested-By: Dominik Csapak <d.csapak@proxmox.com>
Signed-off-by: Shannon Sterz <s.sterz@proxmox.com>
---
 proxmox-auth-api/src/api/access.rs | 17 +++++------------
 1 file changed, 5 insertions(+), 12 deletions(-)

diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs
index f5111d4a..671a370b 100644
--- a/proxmox-auth-api/src/api/access.rs
+++ b/proxmox-auth-api/src/api/access.rs
@@ -158,25 +158,18 @@ fn create_ticket_http_only(
             // parse the ticket here, so we can use the correct timestamp of the `Expire` parameter
             // take the ticket here, so the option will be `None` in the response
             if let Some(ticket_str) = ticket_response.ticket.take() {
-                let ticket = Ticket::<ApiTicket>::parse(&ticket_str)?;
-
-                // see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#expiresdate
-                // see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Date
-                // see: https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Cookies#expires
-                let expire =
-                    proxmox_time::epoch_to_http_date(ticket.time() + crate::TICKET_LIFETIME)?;
-
                 // this makes sure that ticket cookies:
                 // - Typically `__Host-`-prefixed: are only send to the specific domain that set
                 //   them and that scripts served via http cannot overwrite the cookie.
-                // - `Expires`: expire at the same time as the encoded timestamp in the ticket.
                 // - `Secure`: are only sent via https.
                 // - `SameSite=Lax`: are only sent on cross-site requests when the user is
                 //   navigating to the origin site from an external site.
                 // - `HttpOnly`: cookies are not readable to client-side javascript code.
-                let cookie = format!(
-                    "{host_cookie}={ticket_str}; Expires={expire}; Secure; SameSite=Lax; HttpOnly; Path=/;",
-                );
+                // - don't set `Expire` to keep cookie a session cookie. otherwise, we may break
+                //   security assumptions made by users previously. the expiration limit is still
+                //   enforced server side.
+                let cookie =
+                    format!("{host_cookie}={ticket_str}; Secure; SameSite=Lax; HttpOnly; Path=/;");
 
                 response = response.header(hyper::header::SET_COOKIE, cookie);
             }
-- 
2.47.2



_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel