From: "Omar Polo" Subject: Re: gotwebd login status and logout link To: Stefan Sperling Cc: gameoftrees@openbsd.org Date: Sat, 07 Feb 2026 21:12:29 +0100 Stefan Sperling wrote: > Make gotwebd display the name of the logged in user, and add a link which > can be clicked to log out (asking the browser to delete the auth cookie). a nitpick is that GET should be idempotent, and so they can be cached, so it'd be better for the logout to be a form that POST somewhere. We don't actually have anything at the moment to deal with non-GET requests so it's probably fine. > ok? just one nit regarding how cookies are deleted, otherwise yes, ok op@ > [...] > --- gotwebd/auth.c > +++ gotwebd/auth.c > @@ -420,6 +420,69 @@ err: > } > } > > +static void > +do_logout(struct request *c) > +{ > [...] > + /* Ask the browser to delete the authentication cookie. */ > + r = tp_writef(c->tp, "Clear-Site-Data: \"cookies\"\r\n"); this is a bit of a too big hammer for the job we're trying to do. gotwebd might be running on the same domain as other software, and deleting all the cookies seems a bit rude. what we could do instead is setting the cookie to an invalid value and with an expired date, like: Set-Cookie: gtdauth=invalid; Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT (actually, re-reading this i noticed that the fact that we're setting Path=/ is even slightly wrong, should be the prefix where gotwebd is actually running.) > + if (r == -1) { > + error = got_error_from_errno("tp_writef"); > + goto err; > + } > + > + memset(&url, 0, sizeof(url)); > + url.action = INDEX; > + gotweb_reply(c, 307, "text/html", &url); > + return; > + > +err: > + free(hostname); > + hostname = NULL; > + > + log_warnx("%s: %s", __func__, error->msg); > + c->t->error = error; > + if (gotweb_reply(c, 400, "text/html", NULL) == -1) > + return; > + gotweb_render_page(c->tp, gotweb_render_error); > +} > +