fix external linking to products by setting cookie SameSite attribute to lax

We introduced the 'strict' setting when browsers warned about our
cookies not having any SameSite setting [0]. While this works in
general, it had an unforeseen side effect:

When opening a link to the web UI of Proxmox projects, any existing
cookie does not get sent on the initial page load due to coming from
another origin. This then leads to the username and CSRF prevention
token not being set in the index response.
The UI code interprets this as the user being logged out (e.g. because
the ticket is not valid) and clears the cookie, displaying the login
window, even if the cookie's ticket value was still valid.

The MDN reference[1] says that setting it to 'lax' is similar to
'strict', but sends the cookie when navigating *to* our origin even
from other sites, which is what we want when linking from elsewhere.
(This would have also been the default if we wouldn't have set any
attribute).

[0]: https://lore.proxmox.com/pve-devel/20230315162630.289768-1-m.carrara@proxmox.com/
[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_attribute

Fixes: aec7e8d ("toolkit/utils: set SameSite attr of auth cookie to 'strict'")
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
This commit is contained in:
Dominik Csapak 2024-10-07 17:02:51 +02:00 committed by Thomas Lamprecht
parent 51e64f26ec
commit 9e69d726e0

View File

@ -317,7 +317,7 @@ utilities: {
// that way the cookie gets deleted after the browser window is closed // that way the cookie gets deleted after the browser window is closed
if (data.ticket) { if (data.ticket) {
Proxmox.CSRFPreventionToken = data.CSRFPreventionToken; Proxmox.CSRFPreventionToken = data.CSRFPreventionToken;
Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true, "strict"); Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, data.ticket, null, '/', null, true, "lax");
} }
if (data.token) { if (data.token) {
@ -343,7 +343,7 @@ utilities: {
return; return;
} }
// ExtJS clear is basically the same, but browser may complain if any cookie isn't "secure" // ExtJS clear is basically the same, but browser may complain if any cookie isn't "secure"
Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true, "strict"); Ext.util.Cookies.set(Proxmox.Setup.auth_cookie_name, "", new Date(0), null, null, true, "lax");
window.localStorage.removeItem("ProxmoxUser"); window.localStorage.removeItem("ProxmoxUser");
}, },