Skip to content

Back-office auth: Calculate token cookie names at request time (Closes #21050)#21056

Merged
Migaroez merged 2 commits intorelease/17.0from
v17/bugfix/http-vs-secure-cookies
Dec 5, 2025
Merged

Back-office auth: Calculate token cookie names at request time (Closes #21050)#21056
Migaroez merged 2 commits intorelease/17.0from
v17/bugfix/http-vs-secure-cookies

Conversation

@kjac
Copy link
Contributor

@kjac kjac commented Dec 4, 2025

Prerequisites

  • I have added steps to test this contribution in the description below

If there's an existing issue for this PR then this fixes #21050

Description

The __Host- cookie prefix enforces secure cookies at browser level, which causes cookies to be rejected when running over HTTP in local development environments even when UseHttps is set to false.

With this PR, cookie names are now calculated per-request based on both the UseHttps setting and whether the current request is over HTTPS, matching the logic used for the Secure cookie option.

Testing this PR

  1. If UseHttps is set to true, it should be possible to log into the backoffice over HTTPS.
  2. If UseHttps is set to false, it should be possible to log into the backoffice over both HTTPS and HTTP.

Also verify that the resulting cookie name prefixes (for umbAccessToken and umbRefreshToken) follow these rules:

UseHttps Request is HTTPS Cookie name prefix
true Any __Host-
false Yes __Host-
false No (none)

@kjac
Back-office auth: Calculate token cookie names at request time
1bb3d50 
The __Host- cookie prefix enforces secure cookies at browser level,
which caused cookies to be rejected when running over HTTP in local
development environments even when UseHttps was set to false.

Cookie names are now calculated per-request based on both the UseHttps
setting and whether the current request is over HTTPS, matching the
logic used for the Secure cookie option.
@kjac kjac changed the title Back-office auth: Calculate token cookie names at request time Back-office auth: Calculate token cookie names at request time (Closes #21050) Dec 4, 2025
@kjac kjac changed the base branch from main to release/17.0 December 4, 2025 09:35
@kjac kjac mentioned this pull request Dec 4, 2025
Closed
Migaroez
Migaroez approved these changes Dec 4, 2025
View reviewed changes
Copy link
Contributor

@Migaroez Migaroez left a comment
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Minor optional suggestions. Works as advertised. Feel free to merge after discarding or applying the suggestions.

@Migaroez Migaroez mentioned this pull request Dec 4, 2025
Merged
@kjac @Migaroez
Update src/Umbraco.Cms.Api.Common/DependencyInjection/HideBackOfficeT…
bfac3de 
…okensHandler.cs

Co-authored-by: Sven Geusens <sge@umbraco.dk>
@Migaroez Migaroez merged commit fd4ed2c into release/17.0 Dec 5, 2025
22 checks passed
@Migaroez Migaroez deleted the v17/bugfix/http-vs-secure-cookies branch December 5, 2025 10:04
This was referenced Jan 26, 2026
Open
Open
Closed
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@Migaroez Migaroez Migaroez approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Infinite login redirect when using HTTP url

2 participants

@kjac @Migaroez