search

coder / code-server

VS Code in the browser
https://coder.com
MIT License
67.73k stars 5.56k forks source link

[Bug]: Multiple instances on the same host with different ports overwrite each other's login cookies #6237

Open pigpag opened 1 year ago

pigpag commented 1 year ago

Is there an existing issue for this?

OS/Web Information

Steps to Reproduce

  1. Start two code-server instances on the same host with different ports
  2. On the remote machine, start two browsers connecting to the two ports

Expected

Both work independently well

Actual

When the second browser session connects to the code-server, the first session's cookie gets overwritten, causing a lot of resource acquisition to have HTTP 401 Unauthorized errors. For example, extension introduction pages cannot be loaded. Code syntax highlighting stops working for languages whose syntax definition files haven't been downloaded.

Logs

No response

Screenshot/Video

No response

Does this issue happen in VS Code or GitHub Codespaces?

Are you accessing code-server over HTTPS?

Notes

Suggestion: The cookie key is currently defined in src/common/http.ts as an enum const CookieKeys.Session == "code-server-session". It is more desirable for the key to be dependent on port, e.g. "code-server-session--". For example, Jupyter uses this approach to support multiple sessions.

thanhle7 commented 1 year ago

I run my same-host code server instances behind reverse proxy with my external social authentication without any problem.

pigpag commented 1 year ago

External social authentication probably issues auth tokens in a different way that won't cause collision. I am talking about the built-in auth mechanism, which does not have the port number in the cookie key.