mirror of
https://github.com/open-webui/open-webui.git
synced 2026-07-16 06:03:26 -05:00
Secure Session Cookies #1644
Reference in New Issue
Block a user
Delete Branch "%!s()"
Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?
Originally created by @mike-stewart on GitHub (Jul 31, 2024).
Bug Report
Description
Bug Summary:
The WEBUI_SESSION_COOKIE_SECURE environment variable sets the secure flag on the "oui-session" cookie, but not the "token" cookie.
Here it is set:
82079e644a/backend/main.py (L2118-L2124)Here it is not set:
82079e644a/backend/main.py (L2243-L2247)82079e644a/backend/apps/webui/routers/auths.py (L59-L63)Steps to Reproduce:
Login with oauth.
Expected Behavior:
All sensitive cookies should have the secure flag set when
WEBUI_SESSION_COOKIE_SECURE=true.Actual Behavior:
The
tokencookie does not have the Secure flag set.Environment
Reproduction Details
Confirmation:
Logs and Screenshots
Browser Console Logs:
N/A
Docker Container Logs:
N/A
Screenshots (if applicable):

Installation Method
Docker
Additional Information
N/A