[Feat]: Remember password across browser session restarts

[hwittenborn]

What is your suggestion?

I have a fairly complicated password on my code-server instance, and every time I restart my device (a Chrome OS laptop from my school) I have to log back in to my instance. It would be nice if code-server always remembered my password, or at least a period longer than across computer reboots.

Why do you want this feature?

So I don't have to keep typing in my long password.

Are there any workarounds to get this functionality today?

No

Are you interested in submitting a PR for this?

Not likely as I don't do much work with JavaScript, though I'd be open to it if it isn't overly complicated.

[jsjoeio]

Thinking out loud here...I believe the cookie is set here after you enter a valid password:

code-server/src/node/routes/login.ts

Line 87 in ec3d997

res.cookie(CookieKeys.Session, hashedPassword, getCookieOptions(req))

And this is where the logic for the cookie options are set:

code-server/src/node/http.ts

Lines 259 to 286 in ec3d997

	/**
	* Get the options for setting a cookie. The options must be identical for
	* setting and unsetting cookies otherwise they are considered separate.
	*/
	export const getCookieOptions = (req: express.Request): express.CookieOptions => {
	// Normally we set paths relatively. However browsers do not appear to allow
	// cookies to be set relatively which means we need an absolute path. We
	// cannot be guaranteed we know the path since a reverse proxy might have
	// rewritten it. That means we need to get the path from the frontend.
	// The reason we need to set the path (as opposed to defaulting to /) is to
	// avoid code-server instances on different sub-paths clobbering each other or
	// from accessing each other's tokens (and to prevent other services from
	// accessing code-server's tokens).
	// When logging in or out the request must include the href (the full current
	// URL of that page) and the relative path to the root as given to it by the
	// backend. Using these two we can determine the true absolute root.
	const url = new URL(
	req.query.base || req.body.base || "/",
	req.query.href || req.body.href || "http://" + (req.headers.host || "localhost"),
	)
	return {
	domain: getCookieDomain(url.host, req.args["proxy-domain"]),
	path: normalize(url.pathname) || "/",
	sameSite: "lax",
	}
	}

I also believe we use a session cookie instead of a permanent cookie which explains why it expires between browser sessions: https://developer.mozilla.org/en-US/docs/Web/HTTP/Cookies#define_the_lifetime_of_a_cookie

@code-asher is this accurate? Is there anything we can do to improve this?

[code-asher]

I think you are right. Session cookies sound like what we want since their expiration appears to be controlled by the browser? My cookie persists after restarting my browser (Firefox). I have "restore previous session" checked which might be why.

[hwittenborn]

Session cookies sound like what we want since their expiration appears to be controlled by the browser?

I think session cookies is where my problem was, since they didn't last any longer than a browser session, which seems to be reboots in my case. Would there be any reason to not support anything longer, even if a checkbox saying something like "Remember me" had to be clicked?

[jsjoeio]

Workaround: select "Continue where you left off" in Chrome? See here

[hwittenborn]

Workaround: select "Continue where you left off" in Chrome? See here

That appears to be working - it's good enough for the time being, though my last Chrome tab always reopening after closing the browser is a bit annoying (it happens if I click the X in the top right of Chrome, closing each tab alleviates that but I'm doubting my brain's gonna remember to do that every time).

[code-asher]

I think the "remember me" checkbox requires us to set an expiration which means we would not be able to use session cookies.

Basically we can either let the user decide the session length or we can decide for them and currently we do the former.

But it does seem odd that browsers do not give you the option to remember session cookies but not re-open every tab. 🤔

We could change the login form to give the user the option of what kind of cookie to use.