Func
Func
> It also mentions some other settings besides the username and password, changing which should lead to the termination of sessions. > > How about it? Done.
> It wouldn't know that you were intercepting/redirecting the traffic. The [`X-Forwarded-Proto` header](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/X-Forwarded-Proto) can be used to determine if the login request is received via HTTPS and set the Secure...
> > Since you are intercepting/redirecting the traffic, you should modify the header on Cloudflare side. Not sure if Cloudflare provide such functionality though. > > What about it? Is...
> And you are just suggesting to move that complication into qbt instead. It doesn't disappear. I believe the level of complexity is different, making it do so from the...
> > It seems qbt didn't follow the "except on localhost" part. This should be a valid bug. > > @Func86 Could you explain how does Cloudflare connect to webUI...
Hum, I think the linked PR will not help the case here. As far as I can see, the `env().clientAddress` would be set to the IP in the `X-Forwarded-For` header...
> It would be nice if you can actually test it and verify that it also works for you. Our review process will go faster if the feature/fix can be...
I did a survey on other web apps I happened to host, so for your information: * MediaWiki: Have a config for the secure flag (true|false|"detect"), which defaults to true...
https://github.com/cockpit-project/cockpit/blob/19e32033581fb91186e19a9ad3e2d2ddb14142da/src/ws/cockpitauth.c#L1580-L1588 vs https://github.com/cockpit-project/cockpit/blob/19e32033581fb91186e19a9ad3e2d2ddb14142da/src/common/cockpitwebserver.c#L1343-L1360 which is used for the `cockpit_auth_empty_cookie_value` function.
Yes, so the behaviour is inconsistent before and after login.