coder
[Bug]: Multiple instances on the same host with different ports overwrite each other's login cookies
Is there an existing issue for this?
- [X] I have searched the existing issues
OS/Web Information
- Web Browser: Chrome 110
- Local OS: Windows
- Remote OS: CentOS 7.9
- Remote Architecture: amd64
code-server --version: 4.12.0
Steps to Reproduce
- Start two code-server instances on the same host with different ports
- On the remote machine, start two browsers connecting to the two ports
Expected
Both work independently well
Actual
When the second browser session connects to the code-server, the first session's cookie gets overwritten, causing a lot of resource acquisition to have HTTP 401 Unauthorized errors. For example, extension introduction pages cannot be loaded. Code syntax highlighting stops working for languages whose syntax definition files haven't been downloaded.
Logs
No response
Screenshot/Video
No response
Does this issue happen in VS Code or GitHub Codespaces?
- [X] I cannot reproduce this in VS Code.
- [X] I cannot reproduce this in GitHub Codespaces.
Are you accessing code-server over HTTPS?
- [X] I am using HTTPS.
Notes
Suggestion: The cookie key is currently defined in src/common/http.ts as an enum const CookieKeys.Session == "code-server-session". It is more desirable for the key to be dependent on port, e.g. "code-server-session-
I run my same-host code server instances behind reverse proxy with my external social authentication without any problem.
External social authentication probably issues auth tokens in a different way that won't cause collision. I am talking about the built-in auth mechanism, which does not have the port number in the cookie key.