Skip to content

Fixes issue #7544 which adding a cookie-suffix flag #7590

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
Timon-D3v wants to merge 3 commits into
base: main
Choose a base branch
from
+22 −9
Open

Fixes issue #7544 which adding a cookie-suffix flag #7590

Show file tree
Hide file tree
Changes from 1 commit
Commits
Show all changes
3 commits
Select commit Hold shift + click to select a range
00838d0
Added the cookie-suffix flag and environment variable.
Timon-D3v Dec 3, 2025
5d22aec
Added a prefix for the env-variable
Timon-D3v Dec 6, 2025
10f94a8
This should resolve issue #7544 with the addition of the option to se…
Timon-D3v Dec 11, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 2 additions & 2 deletions src/common/http.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -24,6 +24,6 @@ export class HttpError extends Error {
}
}

export enum CookieKeys {
Session = "code-server-session",
export const CookieKeys = {
Session: `code-server-session${process.env?.COOKIE_SUFFIX ? "-" + process.env?.COOKIE_SUFFIX : ""}`,
Copy link
Member

@code-asher code-asher Dec 6, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

This pulls off the environment variable, but if someone sets --cookie-suffix then this will not pick up anything since it is on the flag and not in the env.

What if we made this a function? Something like:

function cookieKey(suffix) {
 // return the key name here
}

And then where we need it we can call it like:

cookieKey(req.args["cookie-suffix"])

Copy link
Author

@Timon-D3v Timon-D3v Dec 6, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oops, yeah your right... I somehow thought this would adress that (but it is the other way around XD):

if (process.env.COOKIE_SUFFIX) {
  args["cookie-suffix"] = process.env.COOKIE_SUFFIX
}

But I dont quite get what you want to do with the function.

Do you want to do something like this:

// From 
export const CookieKeys = {
  Session: `code-server-session${process.env?.CODE_SERVER_COOKIE_SUFFIX? "-" + process.env?.CODE_SERVER_COOKIE_SUFFIX : ""}`,
}


// To
export function CookieKeys(suffix: string) {
  ...
  return { Session: "..." }
}

Or more like this:

function getCookieSessionName(): string {
  if (process.env?.CODE_SERVER_COOKIE_SUFFIX) {
    return `code-server-session-${process.env.CODE_SERVER_COOKIE_SUFFIX}`
  } 

  if (args["cookie-suffix"]) {
    return .....
  }

  return "code-server-session";
}

export const CookieKeys = {
  Session: getCookieSessionName(),
}

Because from what I understand, it seems like you want to do something like the first example which does not make a lot of sense to me. This should be set one time at start up and then not be changed and also a function would mean that you had to replace every call to this to a function.

Lastly, how could i get the cli-arguments? Is there also something like process.cliArgs or a variabel that i have to import from somewhere?

Copy link
Member

@code-asher code-asher Dec 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup the second one, exactly.

So we would end up with a function like:

function getCookieSessionName(suffix?: string): string {
  return suffix ? `code-server-session-${suffix}` : "code-server-session";
}

And we could call it like:

getCookieSessionName(req.args["cookie-suffix"])

in place of CookieKeys.Session

Copy link
Member

@code-asher code-asher Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Oh and to answer the second question, the arguments are placed on the request, there is no global for them.

Copy link
Author

@Timon-D3v Timon-D3v Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ohh ok, that makes perfect sense to use it on req. But then we really cannot initialize it on startup but have to call the

getCookieSessionName(req.args["cookie-suffix"])

on every request. Don't you think that is suboptimal or is there plain no other way?

To clarify what I understand is that you would make it like this:

export const CookieKeys = {
  getCookieSessionName: function(suffix?: string): string {
    return suffix ? `code-server-session-${suffix}` : "code-server-session";
  }
}

And then you would call it when needed in node/http.ts:

// ...
const isCookieValidArgs: IsCookieValidArgs = {
  passwordMethod,
  
  // Before:
  // cookieKey: sanitizeString(req.cookies[CookieKeys.Session]),
  
  // After:
  cookieKey: sanitizeString(req.cookies[getCookieSessionName(req.args["cookie-suffix"])])
  
  
  passwordFromArgs: req.args.password || "",
  hashedPasswordFromArgs: req.args["hashed-password"],
}
// ...

Copy link
Member

@code-asher code-asher Dec 10, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Personally I think there is no need to embed it in CookieKeys, we only ever have the one cookie name, so I am not sure we why even had it as an enum before.

The overhead from this is probably so minuscule it may not even be possible to measure it. But, we could instead calculate it once and pass it through using the request.

We could add cookieSessionName: string here:

code-server/src/node/http.ts

Lines 38 to 43 in 472bf8a

export interface Request {
args: DefaultedArgs
heart: Heart
settings: SettingsProvider<CoderSettings>
updater: UpdateProvider
}

And then here we could calculate the name in a const and attach it to the request like we do with the other variables here:

code-server/src/node/routes/index.ts

Lines 62 to 80 in 472bf8a

const updater = new UpdateProvider("https://api.github.com/repos/coder/code-server/releases/latest", settings)
const common: express.RequestHandler = (req, _, next) => {
// /healthz|/healthz/ needs to be excluded otherwise health checks will make
// it look like code-server is always in use.
if (!/^\/healthz\/?$/.test(req.url)) {
// NOTE@jsjoeio - intentionally not awaiting the .beat() call here because
// we don't want to slow down the request.
heart.beat()
}
// Add common variables routes can use.
req.args = args
req.heart = heart
req.settings = settings
req.updater = updater
next()
}

Copy link
Author

@Timon-D3v Timon-D3v Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That makes a ton of sense to me now. Also i didn't understand that you wanted to get rid of the CookieKeys but now all you answers are clear to me.

The overhead from this is probably so minuscule it may not even be possible to measure it. But, we could instead calculate it once and pass it through using the request.

I also think it would not make a big difference but since it takes so long to load (even if it is faster when built) I think it does not hurt to do it that way.

Do you agree? If so I would start to work on it :)

Copy link
Member

@code-asher code-asher Dec 10, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Yup that sounds good to me!

}
11 changes: 11 additions & 0 deletions src/node/cli.ts
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,6 +53,7 @@ export interface UserProvidedCodeArgs {
"disable-getting-started-override"?: boolean
"disable-proxy"?: boolean
"session-socket"?: string
"cookie-suffix"?: string
"link-protection-trusted-domains"?: string[]
// locale is used by both VS Code and code-server.
locale?: string
Expand Down Expand Up @@ -172,6 +173,12 @@ export const options: Options<Required<UserProvidedArgs>> = {
"session-socket": {
type: "string",
},
"cookie-suffix": {
type: "string",
description:
"Adds a suffix to the cookie. This can prevent a collision of cookies for subdomains, making them explixit. \n" +
"Without this flag, no suffix is used. This can also be set with COOKIE_SUFFIX set to any string.",
},
"disable-file-downloads": {
type: "boolean",
description:
Expand Down Expand Up @@ -616,6 +623,10 @@ export async function setDefaults(cliArgs: UserProvidedArgs, configArgs?: Config
usingEnvPassword = false
}

if (process.env.COOKIE_SUFFIX) {
args["cookie-suffix"] = process.env.COOKIE_SUFFIX
}

if (process.env.GITHUB_TOKEN) {
args["github-auth"] = process.env.GITHUB_TOKEN
}
Expand Down
Loading