From: Thomas Lamprecht <t.lamprecht@proxmox.com>
To: pbs-devel@lists.proxmox.com, Shannon Sterz <s.sterz@proxmox.com>
Subject: [pbs-devel] applied: [PATCH proxmox{, -backup} 0/4] HttpOnly follow-ups
Date: Mon, 28 Jul 2025 14:56:30 +0200 [thread overview]
Message-ID: <175370737726.827548.14111433684683088963.b4-ty@proxmox.com> (raw)
In-Reply-To: <20250725112357.247866-1-s.sterz@proxmox.com>
On Fri, 25 Jul 2025 13:23:53 +0200, Shannon Sterz wrote:
> this small series tries to smooth out the transition to HttpOnly cookies
> for our users:
>
> - cookies are now removed by the server if a 401 UNAUTHORIZED error is
> encountered. this matches the behaviour of our previous javascript
> browser-based clients. it is necessary, as they can't remove the
> cookie themselves anymore due to the new security measures.
> - log-in is possible again, even if an invalid HttpOnly cookie is
> provided.
> - `Expire` is removed from the cookies to make them "session cookies"
> again. this should restore security assumptions some users may have
> made about closing their browser and being logged out. note that
> session cookies may still be restored after a browser was closed, if
> the browser uses session restoration.
>
> [...]
As you already noticed:
Applied, thanks!
[1/1] api/proxy: set auth cookie name in rest server api config
commit: 8f4e455550e470a670f139d6124a00887962122c
[1/3] rest-server: remove auth cookies via http header on unauthorized request
commit: 4ef6a1c012a5e32d3059731094c31864ddd3fa78
[2/3] auth-api: don't set `Expire` for HttpOnly cookies anymore
commit: f45eb2934c484b652e8b3676b508d0ea1e9142d6
[3/3] auth-api: allow log-in via parameters even if HttpOnly cookie is invalid
commit: 2c0b5edda2f778837c4d2eb8a259a04c3dca8ebd
_______________________________________________
pbs-devel mailing list
pbs-devel@lists.proxmox.com
https://lists.proxmox.com/cgi-bin/mailman/listinfo/pbs-devel
prev parent reply other threads:[~2025-07-28 12:57 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2025-07-25 11:23 [pbs-devel] [PATCH proxmox{,-backup} " Shannon Sterz
2025-07-25 11:23 ` [pbs-devel] [PATCH proxmox 1/3] rest-server: remove auth cookies via http header on unauthorized request Shannon Sterz
2025-07-25 12:15 ` Dominik Csapak
2025-07-25 11:23 ` [pbs-devel] [PATCH proxmox 2/3] auth-api: don't set `Expire` for HttpOnly cookies anymore Shannon Sterz
2025-07-25 12:15 ` Dominik Csapak
2025-07-25 11:23 ` [pbs-devel] [PATCH proxmox 3/3] auth-api: allow log-in via parameters even if HttpOnly cookie is invalid Shannon Sterz
2025-07-25 12:23 ` Dominik Csapak
2025-07-25 11:23 ` [pbs-devel] [PATCH proxmox-backup 1/1] api/proxy: set auth cookie name in rest server api config Shannon Sterz
2025-07-25 12:23 ` Dominik Csapak
2025-07-25 11:24 ` [pbs-devel] [PATCH proxmox{,-backup} 0/4] HttpOnly follow-ups Shannon Sterz
2025-07-28 8:01 ` Shannon Sterz
2025-07-28 12:56 ` Thomas Lamprecht [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=175370737726.827548.14111433684683088963.b4-ty@proxmox.com \
--to=t.lamprecht@proxmox.com \
--cc=pbs-devel@lists.proxmox.com \
--cc=s.sterz@proxmox.com \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox