Allow transfer of cookie over unsecure connection

[fxrb]

I use bacula-web on the LAN without certificates.

As the 'Bacula-Web' cookie hast the secure attribute set to true it will not be transferred by my browser (FF 145.0). The missing cookie will prevent bacula-web from working correctly. Hence my question: would it be okay to transfer the cookie even if the connection is not secure?

This could be done by setting the cookie's secure attribute to false:

--- container-bindings.original.php	2025-11-16 12:25:13.112576287 +0100
+++ container-bindings.fxrb.php	2025-11-16 12:31:26.757088888 +0100
@@ -67,7 +67,7 @@
         'lifetime' => 7200,
         'path' => null,
         'domain' => null,
-        'secure' => true,
+        'secure' => false,
         'httponly' => true,
         'cache_limiter' => 'nocache',
 	      'cookie_samesite' => 'Lax'

This would work for other browsers like Google Crome 142.0.7444.17 too.

[dfranco]

Hi @fxrb

Good catch and thanks for raising this point

I have a much better idea, without need to change code manually.

I'll keep you posted once I have a patch

Best

[dfranco]

Hi @fxrb

Good catch and thanks for raising this point

I have a much better idea, without need to change code manually.

I'll keep you posted once I have a patch

Best

@fxrb this cause also an issue with csrf token validation while not using https.

I'll publish a new release which fix this today or tomorrow.

In the meantime, you can set to false the secure flag on the session cookie.

Thanks again for raising this issue.

Best,

[dfranco]

Hi @fxrb

This should be now fixed in https://github.com/bacula-web/bacula-web/releases/tag/v9.9.1

Please let me know if you face the same issue using this version.

[fxrb]

Many thanks for quickly fixing this
I have just tested version v9.9.1 and the problem has gone.

Excellent work!

[dfranco]

Thanks for your feedback @fxrb