Add cookie-suffix flag (#7590)

Timon-D3v · web-flow · commit 68ac95b84ef1 · 2025-12-11T16:23:09.000-09:00
diff --git a/src/common/http.ts b/src/common/http.ts
@@ -24,6 +24,6 @@ export class HttpError extends Error{
 }
 }
 
-export enum CookieKeys{
- Session = "code-server-session",
+export function getCookieSessionName(suffix?: string): string{
+ return suffix ? `code-server-session-${suffix.replace(/[^a-zA-Z0-9-]/g, "-")}` : "code-server-session"
 }
diff --git a/src/node/cli.ts b/src/node/cli.ts
@@ -53,6 +53,7 @@ export interface UserProvidedCodeArgs{
 "disable-getting-started-override"?: boolean
 "disable-proxy"?: boolean
 "session-socket"?: string
+ "cookie-suffix"?: string
 "link-protection-trusted-domains"?: string[]
 // locale is used by both VS Code and code-server.
 locale?: string
@@ -172,6 +173,12 @@ export const options: Options<Required<UserProvidedArgs>> ={
 "session-socket":{
 type: "string",
 },
+ "cookie-suffix":{
+ type: "string",
+ description:
+ "Adds a suffix to the cookie. This can prevent a collision of cookies for subdomains, making them explixit. \n" +
+ "Without this flag, no suffix is used. This can also be set with CODE_SERVER_COOKIE_SUFFIX set to any string.",
+ },
 "disable-file-downloads":{
 type: "boolean",
 description:
@@ -616,6 +623,10 @@ export async function setDefaults(cliArgs: UserProvidedArgs, configArgs?: Config
 usingEnvPassword = false
 }
 
+ if (process.env.CODE_SERVER_COOKIE_SUFFIX){
+ args["cookie-suffix"] = process.env.CODE_SERVER_COOKIE_SUFFIX
+ }
+
 if (process.env.GITHUB_TOKEN){
 args["github-auth"] = process.env.GITHUB_TOKEN
 }
diff --git a/src/node/http.ts b/src/node/http.ts
@@ -4,7 +4,7 @@ import * as http from "http"
 import * as net from "net"
 import qs from "qs"
 import{Disposable } from "../common/emitter"
-import{CookieKeys, HttpCode, HttpError } from "../common/http"
+import{HttpCode, HttpError } from "../common/http"
 import{normalize } from "../common/util"
 import{AuthType, DefaultedArgs } from "./cli"
 import{version as codeServerVersion } from "./constants"
@@ -40,6 +40,7 @@ declare global{
 heart: Heart
 settings: SettingsProvider<CoderSettings>
 updater: UpdateProvider
+ cookieSessionName: string
 }
 }
 }
@@ -124,7 +125,7 @@ export const authenticated = async (req: express.Request): Promise<boolean> =>{
 const passwordMethod = getPasswordMethod(hashedPasswordFromArgs)
 const isCookieValidArgs: IsCookieValidArgs ={
 passwordMethod,
- cookieKey: sanitizeString(req.cookies[CookieKeys.Session]),
+ cookieKey: sanitizeString(req.cookies[req.cookieSessionName]),
 passwordFromArgs: req.args.password || "",
 hashedPasswordFromArgs: req.args["hashed-password"],
 }
diff --git a/src/node/routes/index.ts b/src/node/routes/index.ts
@@ -5,7 +5,7 @@ import{promises as fs } from "fs"
 import * as path from "path"
 import * as tls from "tls"
 import{Disposable } from "../../common/emitter"
-import{HttpCode, HttpError } from "../../common/http"
+import{getCookieSessionName, HttpCode, HttpError } from "../../common/http"
 import{plural } from "../../common/util"
 import{App } from "../app"
 import{AuthType, DefaultedArgs } from "../cli"
@@ -61,6 +61,8 @@ export const register = async (
 const settings = new SettingsProvider<CoderSettings>(path.join(args["user-data-dir"], "coder.json"))
 const updater = new UpdateProvider("https://api.github.com/repos/coder/code-server/releases/latest", settings)
 
+ const cookieSessionName = getCookieSessionName(args["cookie-suffix"])
+
 const common: express.RequestHandler = (req, _, next) =>{
 // /healthz|/healthz/ needs to be excluded otherwise health checks will make
 // it look like code-server is always in use.
@@ -75,6 +77,7 @@ export const register = async (
 req.heart = heart
 req.settings = settings
 req.updater = updater
+ req.cookieSessionName = cookieSessionName
 
 next()
 }
diff --git a/src/node/routes/login.ts b/src/node/routes/login.ts
@@ -2,7 +2,6 @@ import{Router, Request } from "express"
 import{promises as fs } from "fs"
 import{RateLimiter as Limiter } from "limiter"
 import * as path from "path"
-import{CookieKeys } from "../../common/http"
 import{rootPath } from "../constants"
 import{authenticated, getCookieOptions, redirect, replaceTemplates } from "../http"
 import i18n from "../i18n"
@@ -95,7 +94,7 @@ router.post<{}, string,{password?: string; base?: string } | undefined,{to?:
 if (isPasswordValid){
 // The hash does not add any actual security but we do it for
 // obfuscation purposes (and as a side effect it handles escaping).
- res.cookie(CookieKeys.Session, hashedPassword, getCookieOptions(req))
+ res.cookie(req.cookieSessionName, hashedPassword, getCookieOptions(req))
 
 const to = (typeof req.query.to === "string" && req.query.to) || "/"
 return redirect(req, res, to,{to: undefined })
diff --git a/src/node/routes/logout.ts b/src/node/routes/logout.ts
@@ -1,13 +1,12 @@
 import{Router } from "express"
-import{CookieKeys } from "../../common/http"
 import{getCookieOptions, redirect } from "../http"
 import{sanitizeString } from "../util"
 
 export const router = Router()
 
 router.get<{}, undefined, undefined,{base?: string; to?: string }>("/", async (req, res) =>{
 // Must use the *identical* properties used to set the cookie.
- res.clearCookie(CookieKeys.Session, getCookieOptions(req))
+ res.clearCookie(req.cookieSessionName, getCookieOptions(req))
 
 const to = sanitizeString(req.query.to) || "/"
 return redirect(req, res, to,{to: undefined, base: undefined, href: undefined })

Original file line number	Diff line number	Diff line change
`@@ -24,6 +24,6 @@ export class HttpError extends Error{`
`24`	`24`	`}`
`25`	`25`	`}`
`26`	`26`
`27`		`-exportenumCookieKeys{`
`28`		`-Session="code-server-session",`
	`27`	`+exportfunctiongetCookieSessionName(suffix?: string): string{`
	`28`	+returnsuffix ? `code-server-session-${suffix.replace(/[^a-zA-Z0-9-]/g,"-")}` : "code-server-session"
`29`	`29`	`}`
Original file line number	Diff line number	Diff line change
`@@ -4,7 +4,7 @@ import * as http from "http"`
`4`	`4`	`import*asnetfrom"net"`
`5`	`5`	`importqsfrom"qs"`
`6`	`6`	`import{Disposable}from"../common/emitter"`
`7`		`-import{CookieKeys,HttpCode,HttpError}from"../common/http"`
	`7`	`+import{HttpCode,HttpError}from"../common/http"`
`8`	`8`	`import{normalize}from"../common/util"`
`9`	`9`	`import{AuthType,DefaultedArgs}from"./cli"`
`10`	`10`	`import{versionascodeServerVersion}from"./constants"`
`@@ -40,6 +40,7 @@ declare global{`
`40`	`40`	`heart: Heart`
`41`	`41`	`settings: SettingsProvider<CoderSettings>`
`42`	`42`	`updater: UpdateProvider`
	`43`	`+cookieSessionName: string`
`43`	`44`	`}`
`44`	`45`	`}`
`45`	`46`	`}`
`@@ -124,7 +125,7 @@ export const authenticated = async (req: express.Request): Promise<boolean> =>{`
`124`	`125`	`constpasswordMethod=getPasswordMethod(hashedPasswordFromArgs)`
`125`	`126`	`constisCookieValidArgs: IsCookieValidArgs={`
`126`	`127`	`passwordMethod,`
`127`		`-cookieKey: sanitizeString(req.cookies[CookieKeys.Session]),`
	`128`	`+cookieKey: sanitizeString(req.cookies[req.cookieSessionName]),`
`128`	`129`	`passwordFromArgs: req.args.password\|\|"",`
`129`	`130`	`hashedPasswordFromArgs: req.args["hashed-password"],`
`130`	`131`	`}`
-Original file line number
+Diff line change
 import*aspathfrom"path"
 import*astlsfrom"tls"
 import{Disposable}from"../../common/emitter"
 -import{HttpCode,HttpError}from"../../common/http"
 +import{getCookieSessionName,HttpCode,HttpError}from"../../common/http"
 import{plural}from"../../common/util"
 import{App}from"../app"
 import{AuthType,DefaultedArgs}from"../cli"
 constsettings=newSettingsProvider<CoderSettings>(path.join(args["user-data-dir"],"coder.json"))
 constupdater=newUpdateProvider("https://api.github.com/repos/coder/code-server/releases/latest",settings)
 +constcookieSessionName=getCookieSessionName(args["cookie-suffix"])
++
 constcommon: express.RequestHandler=(req,_,next)=>{
 // /healthz|/healthz/ needs to be excluded otherwise health checks will make
 // it look like code-server is always in use.
 req.heart=heart
 req.settings=settings
 req.updater=updater
 +req.cookieSessionName=cookieSessionName
 next()
+}
-Original file line number
+Diff line change
 import{promisesasfs}from"fs"
 import{RateLimiterasLimiter}from"limiter"
 import*aspathfrom"path"
 -import{CookieKeys}from"../../common/http"
 import{rootPath}from"../constants"
 import{authenticated,getCookieOptions,redirect,replaceTemplates}from"../http"
 importi18nfrom"../i18n"
 if(isPasswordValid){
 // The hash does not add any actual security but we do it for
 // obfuscation purposes (and as a side effect it handles escaping).
 -res.cookie(CookieKeys.Session,hashedPassword,getCookieOptions(req))
 +res.cookie(req.cookieSessionName,hashedPassword,getCookieOptions(req))
 constto=(typeofreq.query.to==="string"&&req.query.to)||"/"
 returnredirect(req,res,to,{to: undefined})
-Original file line number
+Diff line change
@@ @@ -1,13 +1,12 @@ @@
 import{Router}from"express"
 -import{CookieKeys}from"../../common/http"
 import{getCookieOptions,redirect}from"../http"
 import{sanitizeString}from"../util"
 exportconstrouter=Router()
 router.get<{},undefined,undefined,{base?: string;to?: string}>("/",async(req,res)=>{
 // Must use the *identical* properties used to set the cookie.
 -res.clearCookie(CookieKeys.Session,getCookieOptions(req))
 +res.clearCookie(req.cookieSessionName,getCookieOptions(req))
 constto=sanitizeString(req.query.to)||"/"
 returnredirect(req,res,to,{to: undefined,base: undefined,href: undefined})