github-actions[bot]
commented
2 weeks ago Hi there @enkelmedia!
Firstly, a big thank you for raising this issue. Every piece of feedback we receive helps us to make Umbraco better.
We really appreciate your patience while we wait for our team to have a look at this but we wanted to let you know that we see this and share with you the plan for what comes next.
- We'll assess whether this issue relates to something that has already been fixed in a later version of the release that it has been raised for.
- If it's a bug, is it related to a release that we are actively supporting or is it related to a release that's in the end-of-life or security-only phase?
- We'll replicate the issue to ensure that the problem is as described.
- We'll decide whether the behavior is an issue or if the behavior is intended.
We wish we could work with everyone directly and assess your issue immediately but we're in the fortunate position of having lots of contributions to work with and only a few humans who are able to do it. We are making progress though and in the meantime, we will keep you in the loop and let you know when we have any questions.
Thanks, from your friendly Umbraco GitHub bot :robot: :slightly_smiling_face:
nul800sebastiaan
enkelmedia
kjac
Which Umbraco version are you using? (Please write the exact version, example: 10.1.0)
14.2.0
Bug summary
I'm working on something that needs to check if the user is currently logged in to the backoffice from places outside of the backoffice. Some parts are also used inside the backoffice (so some kind of a hybrid-thing). This feature, that used to work on v13, uses the backoffice cookie configured for
Umbraco.Cms.Core.Constants.Security.BackOfficeAuthenticationTypeto check if the current request comes from a backoffice authenticated user.I've shared a snippet here that is similar to what I currently do: https://our.umbraco.com/forum/umbraco-9/106857-how-do-i-determine-if-a-backoffice-user-is-logged-in-from-a-razor-view#comment-334423
After moving to v14 it seems like this cookie is more or less not used by the backoffice anymore? After manually removing the cookie, the backoffice still works as expected and I'm not "thrown out". I know that the Management API uses a bearer token for auth, but the cookie is still set during login which makes it kind of tempting for me (an possibly other developers https://github.com/umbraco/Umbraco-CMS/issues/17358) to use this cookie.
There are a couple of potential issues here:
As far as I understand this cookie is only renewed on a full page reload. If something inside the backoffice rely on the cookie it could timeout if the logged in editor is using the backoffice for a long time (keeping tab open etc) without reloading.
When working on localhost it's common to run different sites on that hostname. If I start another site (e.g. a Umbraco 13 website) on localhost and login, this will overwrite the cookie. When going back to v14, nothing will notice this and the "thing" that rely on the cookie will not work. Not even after a page reload.
I'm kind of wondering if this cookie is just a left over from the past? At the same time, we have some nice use cases for this cookie, for example using it for test/stage environments so that we can force a backoffice user login before allowing someone to access the site. Without the cookie we would not be able to know that they are logged in.
So I guess the answer to the question about the future of this cookie will dictate of this is something that should be addressed or if I need to look for another solution. I've notice in the core-code that @kjac wrote some of the stuff around this, maybe you know more?
Cheers!
Update: It came to my mind that @nul800sebastiaan's great Hangfire-dashboard uses the same technique and would probably suffer from the same issues.
https://github.com/nul800sebastiaan/Cultiv.Hangfire/blob/bellissima/Cultiv.Hangfire/UmbracoBuilderExtensions.cs