github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-06 12:55:03 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

[GH-ISSUE #1644] Pangolin does not set proper cookie domain #1968

New Issue
Closed
opened 2026-04-16 08:52:37 -05:00 by GiteaMirror · 2 comments
GiteaMirror commented 2026-04-16 08:52:37 -05:00
Owner
Copy Link

Originally created by @mihaiblaga89 on GitHub (Oct 9, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1644

Describe the Bug

I've configured Pangolin with example.com domain and I've added a resource mapped to a.b.example.com. Pangolin is set to pangolin.example.com. However, the cookie(p_session_token) set by the auth endpoint is set to domain .pangolin.example.com which will not be sent for a.b.example.com and this creates a redirect loop. Pangolin is set to use OIDC provider, in my case Google.

I've dug around the code a bit to check if I can override the domain with maybe an env variable or the config but can't find anything.

Image

Environment

  • OS Type & Version: Ubuntu 25.04
  • Pangolin Version: 1.10.3
  • Gerbil Version: 1.2.1
  • Traefik Version: 3.5
  • Newt Version:
  • Olm Version: (if applicable)

To Reproduce

Create the above mentioned config.

Expected Behavior

I'd expect to be at least able to override the cookie domain, if setting the cookie on FQDN out of the box cannot be done

Originally created by @mihaiblaga89 on GitHub (Oct 9, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1644 ### Describe the Bug I've configured Pangolin with `example.com` domain and I've added a resource mapped to a.b.example.com. Pangolin is set to `pangolin.example.com`. However, the cookie(p_session_token) set by the auth endpoint is set to domain `.pangolin.example.com` which will not be sent for `a.b.example.com` and this creates a redirect loop. Pangolin is set to use OIDC provider, in my case Google. I've dug around the code a bit to check if I can override the domain with maybe an env variable or the config but can't find anything. ![Image](https://github.com/user-attachments/assets/96285b3f-47d4-49eb-9625-d25a7d6de91d) ### Environment - OS Type & Version: Ubuntu 25.04 - Pangolin Version: 1.10.3 - Gerbil Version: 1.2.1 - Traefik Version: 3.5 - Newt Version: - Olm Version: (if applicable) ### To Reproduce Create the above mentioned config. ### Expected Behavior I'd expect to be at least able to override the cookie domain, if setting the cookie on FQDN out of the box cannot be done
GiteaMirror commented 2026-04-16 08:52:38 -05:00
Author
Owner
Copy Link

@miloschwartz commented on GitHub (Oct 9, 2025):

I think the bug you're experiencing is the same as #1540. I recently pushed a commit to fix this, but it hasn't been released yet. It doesn't have to do with the cookie, but some other logic related to the auto redirect (you can check my commit). Badger in Traefik is responsible for setting the session cookie for the resource domain.

If you confirm the issue is the same as #1540 I will close this as duplicate.

<!-- gh-comment-id:3386834170 --> @miloschwartz commented on GitHub (Oct 9, 2025): I think the bug you're experiencing is the same as #1540. I recently pushed a commit to fix this, but it hasn't been released yet. It doesn't have to do with the cookie, but some other logic related to the auto redirect (you can check my commit). Badger in Traefik is responsible for setting the session cookie for the resource domain. If you confirm the issue is the same as #1540 I will close this as duplicate.
GiteaMirror commented 2026-04-16 08:52:39 -05:00
Author
Owner
Copy Link

@mihaiblaga89 commented on GitHub (Oct 9, 2025):

Seems similar to what I encounter, and I also have "auto provision", so
let's close this and I'll wait for the release, and if it doesn't fix my
issue i will reopen it. Thanks!

On Thu, Oct 9, 2025 at 20:19 Milo Schwartz @.***> wrote:

miloschwartz left a comment (fosrl/pangolin#1644)
https://github.com/fosrl/pangolin/issues/1644#issuecomment-3386834170

I think the bug you're experiencing is the same as #1540
https://github.com/fosrl/pangolin/issues/1540. I recently pushed a
commit to fix this, but it hasn't been released yet. It doesn't have to do
with the cookie, but some other logic related to the auto redirect (you can
check my commit). Badger in Traefik is responsible for setting the session
cookie for the resource domain.

If you confirm the issue is the same as #1540
https://github.com/fosrl/pangolin/issues/1540 I will close this as
duplicate.


Reply to this email directly, view it on GitHub
https://github.com/fosrl/pangolin/issues/1644#issuecomment-3386834170,
or unsubscribe
https://github.com/notifications/unsubscribe-auth/ABEQ5OUWXBUNC6MFALHXIKD3W2KKTAVCNFSM6AAAAACIXJPXKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGOBWHAZTIMJXGA
.
You are receiving this because you authored the thread.Message ID:
@.***>

<!-- gh-comment-id:3386849719 --> @mihaiblaga89 commented on GitHub (Oct 9, 2025): Seems similar to what I encounter, and I also have "auto provision", so let's close this and I'll wait for the release, and if it doesn't fix my issue i will reopen it. Thanks! On Thu, Oct 9, 2025 at 20:19 Milo Schwartz ***@***.***> wrote: > *miloschwartz* left a comment (fosrl/pangolin#1644) > <https://github.com/fosrl/pangolin/issues/1644#issuecomment-3386834170> > > I think the bug you're experiencing is the same as #1540 > <https://github.com/fosrl/pangolin/issues/1540>. I recently pushed a > commit to fix this, but it hasn't been released yet. It doesn't have to do > with the cookie, but some other logic related to the auto redirect (you can > check my commit). Badger in Traefik is responsible for setting the session > cookie for the resource domain. > > If you confirm the issue is the same as #1540 > <https://github.com/fosrl/pangolin/issues/1540> I will close this as > duplicate. > > — > Reply to this email directly, view it on GitHub > <https://github.com/fosrl/pangolin/issues/1644#issuecomment-3386834170>, > or unsubscribe > <https://github.com/notifications/unsubscribe-auth/ABEQ5OUWXBUNC6MFALHXIKD3W2KKTAVCNFSM6AAAAACIXJPXKKVHI2DSMVQWIX3LMV43OSLTON2WKQ3PNVWWK3TUHMZTGOBWHAZTIMJXGA> > . > You are receiving this because you authored the thread.Message ID: > ***@***.***> >
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#1968
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?