From: "Omar Polo" Subject: Re: gotwebd login status and logout link To: Stefan Sperling Cc: gameoftrees@openbsd.org Date: Mon, 09 Feb 2026 16:03:18 +0100 Stefan Sperling wrote: > On Sat, Feb 07, 2026 at 09:12:29PM +0100, Omar Polo wrote: > > Stefan Sperling wrote: > > > Make gotwebd display the name of the logged in user, and add a link which > > > can be clicked to log out (asking the browser to delete the auth cookie). > > > > a nitpick is that GET should be idempotent, and so they can be cached, > > so it'd be better for the logout to be a form that POST somewhere. > > > > We don't actually have anything at the moment to deal with non-GET > > requests so it's probably fine. > > > > > ok? > > > > just one nit regarding how cookies are deleted, otherwise yes, ok op@ > > > > > [...] > > > --- gotwebd/auth.c > > > +++ gotwebd/auth.c > > > @@ -420,6 +420,69 @@ err: > > > } > > > } > > > > > > +static void > > > +do_logout(struct request *c) > > > +{ > > > > > [...] > > > > > + /* Ask the browser to delete the authentication cookie. */ > > > + r = tp_writef(c->tp, "Clear-Site-Data: \"cookies\"\r\n"); > > > > this is a bit of a too big hammer for the job we're trying to do. > > gotwebd might be running on the same domain as other software, and > > deleting all the cookies seems a bit rude. > > > > what we could do instead is setting the cookie to an invalid value and > > with an expired date, like: > > > > Set-Cookie: gtdauth=invalid; Path=/; expires=Thu, 01 Jan 1970 00:00:00 GMT > > > > (actually, re-reading this i noticed that the fact that we're setting > > Path=/ is even slightly wrong, should be the prefix where gotwebd is > > actually running.) > > > My initial attempt at this used Set-Cookie but I preserved the auth > token value while setting a negatvive expity date. Somehow this was > not enough, and the Logout link didn't work (at least in Firefox, did > not try others). With some more fiddling I could get it work, see below. > > I have fixed the Path attribute of the auth cookie, too. During testing I > found that the Set-Cookie Path must match in both Set-Cookie headers for > login and logout to work, so this seems to have the desired effect of > scoping the cookie to the pages generated by gotwebd. > > ok? danke! ok op@