search

qbittorrent / qBittorrent

qBittorrent BitTorrent client
https://www.qbittorrent.org
Other
28.35k stars 3.99k forks source link

WebUI login doesn't persist. cookie expiration is never set and defaults to "session". #20993

Open costia opened 4 months ago

costia commented 4 months ago

qBittorrent & operating system versions

qBittorrent: 4.6.5 Operating system: WebUI on any OS, Win11 host

What is the problem?

When logging in via webUI the session timeout set in the webUI preferences is not respected. For example on mobile devices, where the browser is often killed to free memory, the webUI asks me to login almost every time I go back to the browser and the page is reloaded.

I looked at /src/webui/webapplication.cpp and it looks like that the timeout from WebUI prefernces is only used in the server side check. So the cookie that is sent to the browser doesn't have it's expiration time set according to the preferences, resulting in a "session cookie". https://doc.qt.io/qt-6/qnetworkcookie.html#details : "If the expiration date is not present, the cookie is considered a "session cookie" and should be discarded when the application exits"

Specifically around line 743, where the cookie is being constructed and sent to the browser, there aren't any calls to setExpirationDate(), resulting in a session-only cookie by default. https://github.com/qbittorrent/qBittorrent/blob/9d87a813b2df6fa1c18a116f1760b47a507a50a1/src/webui/webapplication.cpp#L743

Steps to reproduce

  1. login via WebUI
  2. close browser
  3. re-open browser and go to the webUI

expected: staying logged in until the timeout set in webUI preferences expires

actual result: user is no longer logged in and is required to login again

Additional context

image

Log(s) & preferences file(s)

No response

Chocobo1 commented 4 months ago

For example on mobile devices, where the browser is often killed to free memory, the webUI asks me to login almost every time I go back to the browser and the page is reloaded.

Sounds like your browser is at fault. From https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#removal_defining_the_lifetime_of_a_cookie :

Session cookies — cookies without a Max-age or Expires attribute – are deleted when the current session ends. The browser defines when the "current session" ends, and some browsers use session restoring when restarting. This can cause session cookies to last indefinitely.

You should tweak your browser to enable session restoring, especially if it will be killed unexpectedly.

Specifically around line 743, where the cookie is being constructed and sent to the browser, there aren't any calls to setExpirationDate(), resulting in a session-only cookie by default.

It is intended that a WebUI session is tied to a browsing session.

costia commented 4 months ago

You should tweak your browser to enable session restoring, especially if it will be killed unexpectedly.

I don't see any such options on safari or chrome on ipadOS

It is intended that a WebUI session is tied to a browsing session.

That is rather surprising. I assumed that since there is a timeout in the preferences, the intended behaviour would be equivalent to what most web apps do when "remember me" is checked. I guess its a missing feature then.

rioradio commented 4 months ago

I confirm, I have the same problem. It's worth closing the browser and qBittorrent WebUI to ask me to enter my username and password. Please add Max-age or Expires to your cookies when logging in:

cookie.setExpirationDate(QDateTime::currentDateTime().addSecs(m_sessionTimeout));