403 forbidden error while selecting mountpoint

[mahsashadi]

Sometimes I can not access my files by selecting on all mountpoints, except Applications. It needs to refresh browser to work properly. It shows forbidden 403 error. I am using osjs in docker mode, build my own image.

Dockerfile: (I simplified this file here, there are some other packages installed)

FROM node:10
WORKDIR /usr/src/osjs
COPY . .
COPY hafez-entrypoint.sh .
RUN npm install
WORKDIR /usr/src/osjs

EXPOSE 8000

CMD ./hafez-entrypoint.sh

Docker-compose:

version: "3"
services:
  hafez:
    image: hafez/osjs:1.0
    restart: always
    container_name: hafez
    environment:
      - username=<USERNAME>
      - password=<PASSWORD>
    ports:
      - 8000:8000

[andersevenrud]

Might be related to this https://github.com/os-js/osjs-client/issues/169

[mahsashadi]

Actually I have realized that it happened in the case of having two Osjs running (on different ports).

This way as soon as I open the second osjs (in same browser and different tab, or even different browser), the first one (previously opened) will cause Access denied error by clicking on any mountpoint, and the second one will work properly.

No matter each of them are running in docker mode or locally.

[andersevenrud]

You run two instances from the same installation_

[mahsashadi]

Actually I ran two instances with different configs and apps in two different ports (localhost:8000 & localhost:7000) Should it make problem?

[andersevenrud]

If you are running two physically different installations then there should not be any issues.

Sharing an installation would cause issues because of the session database.

[mahsashadi]

No, there are two different osjs running on two differents ports, facing this problem.

[andersevenrud]

I think i understand what's going on here. When the browser sets the cookie, it uses the host name. So if you run two instances with the same host name (port does not matter) then it will use the same cookie -- basically the first cookie that was set.

This will not work of course. So what you need to do is either:

1. Use different host names for your instances
2. Change session.options.name to be unique per instance in the osjs-server config

https://datatracker.ietf.org/doc/html/rfc6265#section-8.5

Cookies do not provide isolation by port. If a cookie is readable by a service running on one port, the cookie is also readable by a service running on another port of the same server. If a cookie is writable by a service on one port, the cookie is also writable by a service running on another port of the same server. For this reason, servers SHOULD NOT both run mutually distrusting services on different ports of the same host and use cookies to store security- sensitive information.

[mahsashadi]

Great, thanks a lot.