"GOT", but the "O" is a cute, smiling pufferfish. Index | Thread | Search

From:
"Omar Polo" <op@omarpolo.com>
Subject:
Re: gotwebd login status and logout link
To:
Stefan Sperling <stsp@stsp.name>
Cc:
gameoftrees@openbsd.org
Date:
Mon, 09 Feb 2026 16:03:18 +0100

Download raw body.

Thread 
Stefan Sperling <stsp@stsp.name> wrote:
> On Sat, Feb 07, 2026 at 09:12:29PM +0100, Omar Polo wrote:
> > Stefan Sperling <stsp@stsp.name> wrote:
> > > Make gotwebd display the name of the logged in user, and add a link which
> > > can be clicked to log out (asking the browser to delete the auth cookie).
> > 
> > a nitpick is that GET should be idempotent, and so they can be cached,
> > so it'd be better for the logout to be a form that POST somewhere.
> > 
> > We don't actually have anything at the moment to deal with non-GET
> > requests so it's probably fine.
> > 
> > > ok?
> > 
> > just one nit regarding how cookies are deleted, otherwise yes, ok op@
> > 
> > > [...]
> > > --- gotwebd/auth.c
> > > +++ gotwebd/auth.c
> > > @@ -420,6 +420,69 @@ err:
> > >  	}
> > >  }
> > >  
> > > +static void
> > > +do_logout(struct request *c)
> > > +{
> > 
> > > [...]
> > 
> > > +	/* Ask the browser to delete the authentication cookie.  */
> > > +	r = tp_writef(c->tp, "Clear-Site-Data: \"cookies\"\r\n");
> > 
> > this is a bit of a too big hammer for the job we're trying to do.
> > gotwebd might be running on the same domain as other software, and
> > deleting all the cookies seems a bit rude.
> > 
> > what we could do instead is setting the cookie to an invalid value and
> > with an expired date, like:
> > 
> > Set-Cookie: gtdauth=invalid; Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT
> > 
> > (actually, re-reading this i noticed that the fact that we're setting
> > Path=/ is even slightly wrong, should be the prefix where gotwebd is
> > actually running.)
>  
> 
> My initial attempt at this used Set-Cookie but I preserved the auth
> token value while setting a negatvive expity date. Somehow this was
> not enough, and the Logout link didn't work (at least in Firefox, did
> not try others).  With some more fiddling I could get it work, see below.
> 
> I have fixed the Path attribute of the auth cookie, too. During testing I
> found that the Set-Cookie Path must match in both Set-Cookie headers for
> login and logout to work, so this seems to have the desired effect of
> scoping the cookie to the pages generated by gotwebd.
> 
> ok?

danke!  ok op@