From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from firstgate.proxmox.com (firstgate.proxmox.com [212.224.123.68]) by lore.proxmox.com (Postfix) with ESMTPS id 78BD91FF15C for ; Fri, 25 Jul 2025 14:14:38 +0200 (CEST) Received: from firstgate.proxmox.com (localhost [127.0.0.1]) by firstgate.proxmox.com (Proxmox) with ESMTP id AD43E177C3; Fri, 25 Jul 2025 14:15:59 +0200 (CEST) Message-ID: <951aedc8-137c-484b-9fc8-044af3374e8f@proxmox.com> Date: Fri, 25 Jul 2025 14:15:55 +0200 MIME-Version: 1.0 User-Agent: Mozilla Thunderbird Beta To: Proxmox Backup Server development discussion , Shannon Sterz References: <20250725112357.247866-1-s.sterz@proxmox.com> <20250725112357.247866-3-s.sterz@proxmox.com> Content-Language: en-US From: Dominik Csapak In-Reply-To: <20250725112357.247866-3-s.sterz@proxmox.com> X-Bm-Milter-Handled: 55990f41-d878-4baa-be0a-ee34c49e34d2 X-Bm-Transport-Timestamp: 1753445752404 X-SPAM-LEVEL: Spam detection results: 0 AWL 0.022 Adjusted score from AWL reputation of From: address BAYES_00 -1.9 Bayes spam probability is 0 to 1% DMARC_MISSING 0.1 Missing DMARC policy KAM_DMARC_STATUS 0.01 Test Rule for DKIM or SPF Failure with Strict Alignment SPF_HELO_NONE 0.001 SPF: HELO does not publish an SPF Record SPF_PASS -0.001 SPF: sender matches SPF record Subject: Re: [pbs-devel] [PATCH proxmox 2/3] auth-api: don't set `Expire` for HttpOnly cookies anymore X-BeenThere: pbs-devel@lists.proxmox.com X-Mailman-Version: 2.1.29 Precedence: list List-Id: Proxmox Backup Server development discussion List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: Proxmox Backup Server development discussion Content-Transfer-Encoding: 7bit Content-Type: text/plain; charset="us-ascii"; Format="flowed" Errors-To: pbs-devel-bounces@lists.proxmox.com Sender: "pbs-devel" LGTM Reviewed-by: Dominik Csapak Tested-by: Dominik Csapak On 7/25/25 13:24, Shannon Sterz wrote: > previously users may have assumed that closing a browser will log them > out. this usually worked (see note below), as we defined the cookies > as "session cookies" by not setting `Expire` or `Max-Age`. clients > should remove such cookies when they are closed. > > by setting `Expire` we broke this assumption as now browsers would > keep the cookie in place, even when closed, until they expired. > > note: some browsers may never have behaved as expected here. a lot of > modern browsers have a "session restore" feature that would simply > restore such cookies when the session was restored. see also the > warning over in the mdn docs for `Set-Cookie` [1]. > > in any case, the tickets within the cookies were always valid for two > hours as we don't "revoke" tickets before they expire. > > [1]: > https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#expiresdate > > Reported-By: Dominik Csapak > Suggested-By: Dominik Csapak > Signed-off-by: Shannon Sterz > --- > proxmox-auth-api/src/api/access.rs | 17 +++++------------ > 1 file changed, 5 insertions(+), 12 deletions(-) > > diff --git a/proxmox-auth-api/src/api/access.rs b/proxmox-auth-api/src/api/access.rs > index f5111d4a..671a370b 100644 > --- a/proxmox-auth-api/src/api/access.rs > +++ b/proxmox-auth-api/src/api/access.rs > @@ -158,25 +158,18 @@ fn create_ticket_http_only( > // parse the ticket here, so we can use the correct timestamp of the `Expire` parameter > // take the ticket here, so the option will be `None` in the response > if let Some(ticket_str) = ticket_response.ticket.take() { > - let ticket = Ticket::::parse(&ticket_str)?; > - > - // see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#expiresdate > - // see: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Date > - // see: https://developer.mozilla.org/en-US/docs/Web/Security/Practical_implementation_guides/Cookies#expires > - let expire = > - proxmox_time::epoch_to_http_date(ticket.time() + crate::TICKET_LIFETIME)?; > - > // this makes sure that ticket cookies: > // - Typically `__Host-`-prefixed: are only send to the specific domain that set > // them and that scripts served via http cannot overwrite the cookie. > - // - `Expires`: expire at the same time as the encoded timestamp in the ticket. > // - `Secure`: are only sent via https. > // - `SameSite=Lax`: are only sent on cross-site requests when the user is > // navigating to the origin site from an external site. > // - `HttpOnly`: cookies are not readable to client-side javascript code. > - let cookie = format!( > - "{host_cookie}={ticket_str}; Expires={expire}; Secure; SameSite=Lax; HttpOnly; Path=/;", > - ); > + // - don't set `Expire` to keep cookie a session cookie. otherwise, we may break > + // security assumptions made by users previously. the expiration limit is still > + // enforced server side. > + let cookie = > + format!("{host_cookie}={ticket_str}; Secure; SameSite=Lax; HttpOnly; Path=/;"); > > response = response.header(hyper::header::SET_COOKIE, cookie); > } _______________________________________________ pbs-devel mailing list pbs-devel@lists.proxmox.com https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel