Skip to content

fix: use unique cookies for workspace proxies#19930

Merged
deansheather merged 1 commit into
mainfrom
dean/subdomain-cookie
Sep 24, 2025
Merged

fix: use unique cookies for workspace proxies#19930
deansheather merged 1 commit into
mainfrom
dean/subdomain-cookie

Conversation

@deansheather

@deansheather deansheather commented Sep 24, 2025

Copy link
Copy Markdown
Member

There is currently an issue with subdomain workspace apps on workspace proxies, where if you have a workspace proxy wildcard nested beneath the primary wildcard, cookies from the primary may be sent to the server before cookies from the proxy specifically.

Currently:

  1. Use a subdomain app via the primary proxy *.coder.corp.com
    a. Client sends no cookies
    a. Server does token smuggling flow
    a. Server sets a cookie coder_subdomain_app_session_token on *.coder.corp.com
    a. Server redirects client to reload the page
    a. Request should succeed as usual
  2. Wait until the primary proxy's session token cookie has expired in the database (or make it invalid yourself)
  3. Use a subdomain app via a separate proxy *.sydney.coder.corp.com
    a. Client sends coder_subdomain_app_session_token cookie from *.coder.corp.com
    a. Server validates supplied cookie, it fails because it's expired
    a. Server does token smuggling flow
    a. Server sets a cookie coder_subdomain_app_session_token on *.sydney.coder.corp.com
    a. Server redirects client to reload page
    a. Client sends BOTH cookies.
    a. The server will only process the first cookie it receives, so if the expired cookie for the primary proxy is sent first the request will end up in a permanent loop on step b.

The fix is to append _{hash(wildcard_access_url)} to the subdomain cookies as we cannot control browser behavior further. This avoids the conflict as each proxy will only read it's specific cookie.

@Emyrk Emyrk left a comment

Copy link
Copy Markdown
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I have seen this issue before, this solution is neat 👍

@deansheather deansheather merged commit 42dd544 into main Sep 24, 2025
30 checks passed
@deansheather deansheather deleted the dean/subdomain-cookie branch September 24, 2025 14:30
@github-actions github-actions Bot locked and limited conversation to collaborators Sep 24, 2025
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants