Go to file
Dominik Csapak 9e69d726e0 fix external linking to products by setting cookie SameSite attribute to lax
We introduced the 'strict' setting when browsers warned about our
cookies not having any SameSite setting [0]. While this works in
general, it had an unforeseen side effect:

When opening a link to the web UI of Proxmox projects, any existing
cookie does not get sent on the initial page load due to coming from
another origin. This then leads to the username and CSRF prevention
token not being set in the index response.
The UI code interprets this as the user being logged out (e.g. because
the ticket is not valid) and clears the cookie, displaying the login
window, even if the cookie's ticket value was still valid.

The MDN reference[1] says that setting it to 'lax' is similar to
'strict', but sends the cookie when navigating *to* our origin even
from other sites, which is what we want when linking from elsewhere.
(This would have also been the default if we wouldn't have set any
attribute).

[0]: https://lore.proxmox.com/pve-devel/20230315162630.289768-1-m.carrara@proxmox.com/
[1]: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#SameSite_attribute

Fixes: aec7e8d ("toolkit/utils: set SameSite attr of auth cookie to 'strict'")
Signed-off-by: Dominik Csapak <d.csapak@proxmox.com>
2024-10-15 15:25:14 +02:00
debian bump version to 4.2.3 2024-04-25 11:45:15 +02:00
src fix external linking to products by setting cookie SameSite attribute to lax 2024-10-15 15:25:14 +02:00
.gitignore gitignore: add more build artefacts to ignore list 2024-04-21 09:56:55 +02:00
Makefile buildsys: improve DSC target & add sbuild convenience target 2023-05-25 10:15:11 +02:00