Do not leak access key in browser

2026-02-23 15:14:49 +01:00 · 2018-12-12 18:37:50 +09:00
parent 475ea68696
commit 22d59a1ed7
1 changed files with 4 additions and 1 deletions
--- a/BTCPayServer/Controllers/ServerController.cs
+++ b/BTCPayServer/Controllers/ServerController.cs
@@ -487,7 +487,10 @@ namespace BTCPayServer.Controllers
                var cookie = System.IO.File.ReadAllText(spark.CookeFile).Split(':');
                if (cookie.Length >= 3)
                {
-                    return Redirect($"{spark.Server.AbsoluteUri}?access-key={cookie[2]}");
+                    var client = HttpClientFactory.CreateClient();
+                    var response = await client.GetAsync($"{spark.Server.AbsoluteUri}?access-key={cookie[2]}");
+                    HttpContext.Response.SetHeader("Set-Cookie", response.Headers.GetValues("Set-Cookie").First());
+                    return Redirect($"{spark.Server.AbsoluteUri}");
                }
            }
            catch(Exception ex)