calibre-web deletes auth cookie

[aguaviva]

Describe the bug/problem

Is somehow Calibre-web deleting cookies or doing some sort of cookie management? Only when using Calibre-web my auth cookie sometimes disappears.

Request
I'd appreciate some hints on where to look. Does it ring a bell of what could be causing this?

Context
note: I am using Calibre-web though a NGINX proxy + auth cookie, and this set up is working with many other self hosted apps.

Thanks.

[OzzieIsaacs]

Calibre-web uses the cookie name session, to store the login information, if other services on the same server use the same name, this could indeed lead to a behavior like the described.
The formerly undocumented environment variable COOKIE_PREFIX can help in this case.
If you set it to something like "cw", the session is stored in a cookie "cw_session" afterwards and should no longer interfere with other services.
To check the cookie names of the other services you could open the developer console of your browser and check the requests, there should be a tab showing the cookie names, if they are the same calibre-web uses, they will get overwritten, and the other service itself will overwrite the cookie of calibre-web

[aguaviva]

Thank you for taking the time to write this detailed answer, I'll give it a try and debug the issue as much as I can.

[aguaviva]

I am still debugging the issue. Quick question, it looks like when I run calibre-web over a nginx proxy I get all these cookies (see below)... I believe it might be related as this doesn't happen when I access is directly., Any idea why are those cookies there?

/libros is the path where I put calibre-web

[OzzieIsaacs]

Normally the cookie should be stored in association with the /libros path, the cover/number paths are all related to simple calls for showing a cover, they should not store a cookie, I have no idea why this happens for you

[OzzieIsaacs]

I‘m using Apache as proxy and I don‘t get this cookies. My feeling is, this is a missconfiguration on your side, have you check the wiki regarding examples for setting up the proxy?

[ejoin-cc]

I have encountered similar issues. It seems that whenever I click any button or refresh the page, cookie remember_token will be deleted. I see remember_cookie with the samesite value set to strict. I use nginx proxy manager to reverse proxy, and the configuration is:

proxy_buffer_size 128k;
proxy_buffers 4 256k;
proxy_busy_buffers_size 256k;

proxy_set_header Host $host;
proxy_set_header X-Real-IP $proxy_protocol_addr;
proxy_set_header X-Forwarded-Proto $scheme;
proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
client_max_body_size 1024m;

I also tried to modify the cookie prefix, but it also disappeared after refreshing the page, and the status before and after:

before:

after:

The calibre_remember_token disappeared....

[aguaviva]

I have the same config and get similar results. I tried some basic variations and tried disabling certain code paths but couldn't find the root cause.

I'll be happy to try more experiments but I'd need some guidance.

[ejoin-cc]

Request send with remember_token and session(I tried to specify the prefix), but reponse http code is 302, then i need log in. I find that the responses for this path simply delete remember_token, as well as requests for other paths. I'm not sure if the problem is really related to this phenomenon.

[ejoin-cc]

My guess is that my ip changed between making multiple requests, Changing the configurable setting for 'Session Protection' does solve this issue.