login token in url when user is logged in causes 403

[teleclimber]

If a logged in appspace user visits the appspace by opening a URL that includes a login token, they are given a 403. That's not right. We should

• treat token errors such taht they don't revent a logged in user from continuing.
• Make it so login tokens do not make it into bookmarked URLs (for example) by redirecting to same URL without token.

[teleclimber]

I can't reproduce this.

[teleclimber]

Actually I think I can reproduce this now. Simply entering the appspace and then reloading the page (which still has the login token) causes the 403.

Edit: I am able to get this with ds-host running on a Mac with no TLS and accessed from http://dropid.localhost and the appspace at http://leftovers.localhost It's possible the lack of TLS changes how the cookie is saved?

Edit 2: The browser (or FireFox at least) does not send the cookie on page refresh. It's just not in the request headers. This is if you enter appspace, and refresh the page. The cookie is saved, but not sent.

[teleclimber]

Ah it's because of the SameSite attribute. In Chrome dev tools it shows the cookie that was not sent and explains that SameSite=strict means cookie does not get sent if from another site or top level navigation, which presumably includes refreshes.