From bd5b3e1f5f02a828990a76bd1c449b0a302b594f Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Antti=20Pyykk=C3=B6nen?= Date: Mon, 27 Jan 2025 16:33:02 +0200 Subject: [PATCH] Add documentation regarding new security cookie options Related PR https://github.com/open-webui/open-webui/pull/8978 --- .../advanced-topics/env-configuration.md | 40 +++++++++++++++++++ 1 file changed, 40 insertions(+) diff --git a/docs/getting-started/advanced-topics/env-configuration.md b/docs/getting-started/advanced-topics/env-configuration.md index 6d5987a..4b881c7 100644 --- a/docs/getting-started/advanced-topics/env-configuration.md +++ b/docs/getting-started/advanced-topics/env-configuration.md @@ -597,12 +597,52 @@ requests initiated by third-party websites, but only over HTTPS. - Default: `lax` - Description: Sets the `SameSite` attribute for session cookies. +:::warning + +When `ENABLE_OAUTH_SIGNUP` is enabled, setting `WEBUI_SESSION_COOKIE_SAME_SITE` to `strict` can cause login failures. This is because Open WebUI uses a session cookie to validate the callback from the OAuth provider, which helps prevent CSRF attacks. + +However, a `strict` session cookie is not sent with the callback request, leading to potential login issues. If you experience this problem, use the default `lax` value instead. + +::: + #### `WEBUI_SESSION_COOKIE_SECURE` - Type: `bool` - Default: `False` - Description: Sets the `Secure` attribute for session cookies if set to `True`. +#### `WEBUI_AUTH_COOKIE_SAME_SITE` + +- Type: `str` (enum: `lax`, `strict`, `none`) +- Options: + - `lax` - Sets the `SameSite` attribute to lax, allowing auth cookies to be sent with +requests initiated by third-party websites. + - `strict` - Sets the `SameSite` attribute to strict, blocking auth cookies from being sent +with requests initiated by third-party websites. + - `none` - Sets the `SameSite` attribute to none, allowing auth cookies to be sent with +requests initiated by third-party websites, but only over HTTPS. +- Default: `lax` +- Description: Sets the `SameSite` attribute for auth cookies. + +:::info + +If the value is not set, `WEBUI_SESSION_COOKIE_SAME_SITE` will be used as a fallback. + +::: + +#### `WEBUI_AUTH_COOKIE_SECURE` + +- Type: `bool` +- Default: `False` +- Description: Sets the `Secure` attribute for auth cookies if set to `True`. + +:::info + +If the value is not set, `WEBUI_SESSION_COOKIE_SECURE` will be used as a fallback. + +::: + + #### `WEBUI_AUTH` - Type: `bool`