sbp commented on issue #317: URL: https://github.com/apache/tooling-trusted-releases/issues/317#issuecomment-3538941996
This is a combination of two behaviours. We set `SameSite=Strict` for the ASFQuart session cookie, which means that the browser does not send its existing session cookie when you follow a link from e.g. a vote email or from the page of this GitHub issue thread. On most routes that would result in an immediate prompt to log in, because most of our routes require the user to be a committer. That's not true of this vote page, however: it's a public page. This combination means that the user is effectively logged out in that whole cross-site browsing context, and is not prompted to log in on this individual page. What would be ideal is if we could detect the existence of a session cookie even if we could not read it, and then force the authentication. I doubt (without checking) that the browser vendors will have allowed this exact behaviour, but we could mimic it by setting a cookie called `has_session` and setting that to `SameSite=Lax` or even `SameSite=None`. We would then detect this and prompt the user to authenticate (or clear that cookie) on public routes where an enhanced interface is available for committers. Alternatively, and much more easily, we could make the page available only to committers, but our [voting policy](https://apache.org/foundation/voting.html) does not preclude non-committers from voting. They would need an ASF UID anyway to record their vote on ATR, but they would not need a UID to vote on the mailing list. Therefore we will probably have to implement `has_session`, but we will have to think carefully about the security implications. -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected] --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
