Secure Session Cookies #1644

Closed
opened 2025-11-11 14:49:09 -06:00 by GiteaMirror · 0 comments
Owner

Originally created by @mike-stewart on GitHub (Jul 31, 2024).

Bug Report

Description

Bug Summary:
The WEBUI_SESSION_COOKIE_SECURE environment variable sets the secure flag on the "oui-session" cookie, but not the "token" cookie.

Here it is set: 82079e644a/backend/main.py (L2118-L2124)

Here it is not set:
82079e644a/backend/main.py (L2243-L2247)
82079e644a/backend/apps/webui/routers/auths.py (L59-L63)

Steps to Reproduce:
Login with oauth.

Expected Behavior:
All sensitive cookies should have the secure flag set when WEBUI_SESSION_COOKIE_SECURE=true.

Actual Behavior:
The token cookie does not have the Secure flag set.

Environment

  • Open WebUI Version: v0.3.10

Reproduction Details

Confirmation:

  • I have read and followed all the instructions provided in the README.md.
  • I am on the latest version of both Open WebUI and Ollama.
  • I have included the browser console logs.
  • I have included the Docker container logs.

Logs and Screenshots

Browser Console Logs:
N/A

Docker Container Logs:
N/A

Screenshots (if applicable):
Screenshot 2024-07-30 at 9 01 47 PM

Installation Method

Docker

Additional Information

N/A

Originally created by @mike-stewart on GitHub (Jul 31, 2024). # Bug Report ## Description **Bug Summary:** The WEBUI_SESSION_COOKIE_SECURE environment variable sets the secure flag on the "oui-session" cookie, but not the "token" cookie. Here it is set: https://github.com/open-webui/open-webui/blob/82079e644a291349926008adffe8fe2fc3b33566/backend/main.py#L2118-L2124 Here it is not set: https://github.com/open-webui/open-webui/blob/82079e644a291349926008adffe8fe2fc3b33566/backend/main.py#L2243-L2247 https://github.com/open-webui/open-webui/blob/82079e644a291349926008adffe8fe2fc3b33566/backend/apps/webui/routers/auths.py#L59-L63 **Steps to Reproduce:** Login with oauth. **Expected Behavior:** All sensitive cookies should have the secure flag set when `WEBUI_SESSION_COOKIE_SECURE=true`. **Actual Behavior:** The `token` cookie does not have the Secure flag set. ## Environment - **Open WebUI Version:** v0.3.10 ## Reproduction Details **Confirmation:** - [x] I have read and followed all the instructions provided in the README.md. - [x] I am on the latest version of both Open WebUI and Ollama. - [x] I have included the browser console logs. - [x] I have included the Docker container logs. ## Logs and Screenshots **Browser Console Logs:** N/A **Docker Container Logs:** N/A **Screenshots (if applicable):** ![Screenshot 2024-07-30 at 9 01 47 PM](https://github.com/user-attachments/assets/367c9401-3d71-4237-af80-640f45925519) ## Installation Method Docker ## Additional Information N/A
Sign in to join this conversation.
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/open-webui#1644