Skip to content

Fix incorrect boolean evaluation for OVERLEAF_SECURE_COOKIE and OVERLEAF_BEHIND_PROXY#1428

Open
Rui0828 wants to merge 2 commits intooverleaf:mainfrom
Rui0828:fix/overleaf-env-var-configuration-bugs
Open

Fix incorrect boolean evaluation for OVERLEAF_SECURE_COOKIE and OVERLEAF_BEHIND_PROXY#1428
Rui0828 wants to merge 2 commits intooverleaf:mainfrom
Rui0828:fix/overleaf-env-var-configuration-bugs

Conversation

@Rui0828
Copy link
Copy Markdown

@Rui0828 Rui0828 commented Dec 3, 2025
edited
Loading

Problem

The current implementation in server-ce/config/settings.js has two issues with environment variable handling:

1. OVERLEAF_SECURE_COOKIE: Uses incorrect boolean evaluation

secureCookie: process.env.OVERLEAF_SECURE_COOKIE != null,

The expression != null only checks if the variable exists, not its value:

  • OVERLEAF_SECURE_COOKIE=false → evaluates to true (variable exists)
  • OVERLEAF_SECURE_COOKIE=true → evaluates to true (variable exists)
  • Unset → evaluates to false

Result: Users cannot disable secure cookies even when explicitly setting false.

2. OVERLEAF_BEHIND_PROXY: Hardcoded to true, ignoring environment variable

behindProxy: true,

The environment variable OVERLEAF_BEHIND_PROXY is completely ignored, making it impossible to disable proxy mode through configuration.

Impact

This is particularly problematic because the default configuration template in overleaf/toolkit at lib/config-seed/variables.env includes:

## Set for TLS via nginx-proxy
# OVERLEAF_BEHIND_PROXY=true
# OVERLEAF_SECURE_COOKIE=true

Users who uncomment these lines and set them to false (e.g., for local development or HTTP-only deployments) will find:

  • OVERLEAF_SECURE_COOKIE=false doesn't work - secure cookies are still enabled
  • OVERLEAF_BEHIND_PROXY=false is completely ignored - proxy mode is always on

This causes:

  • Session cookies not being set in HTTP environments (blocking all logins with 403 CSRF errors)
  • Incorrect proxy header handling
  • Confusion and debugging difficulties for users running without a proxy

Solution

This PR fixes both issues:

1. OVERLEAF_SECURE_COOKIE: Changed to properly parse string values

secureCookie: process.env.OVERLEAF_SECURE_COOKIE === 'true',

2. OVERLEAF_BEHIND_PROXY: Changed to read from environment variable

behindProxy: process.env.OVERLEAF_BEHIND_PROXY === 'true',

Now the behavior is correct:

  • OVERLEAF_SECURE_COOKIE=truetrue
  • OVERLEAF_SECURE_COOKIE=falsefalse
  • OVERLEAF_BEHIND_PROXY=truetrue
  • OVERLEAF_BEHIND_PROXY=falsefalse
  • Unset → false (safe default for development)

Testing

Tested with various configurations:

  • ✅ Setting OVERLEAF_SECURE_COOKIE=false now correctly allows HTTP cookies
  • ✅ Setting OVERLEAF_BEHIND_PROXY=false now correctly disables proxy mode
  • ✅ Default behavior (unset) uses safe defaults
  • ✅ Explicit true values work as expected
  • ✅ HTTP-only deployment now works correctly without 403 CSRF errors

Breaking Changes

None. This fixes broken behavior while maintaining backward compatibility:

  • Unset variables still default to false
  • Setting to true continues to work as expected

Fixes #1032

@Rui0828
fix: parse OVERLEAF_SECURE_COOKIE as boolean value
d2b078f
@Rui0828
fix: allow OVERLEAF_BEHIND_PROXY to be configured via environment var…
8cbae10 
…iable

Previously, behindProxy was hardcoded to true, making it impossible
to disable proxy mode via environment variables.

Changed to read from OVERLEAF_BEHIND_PROXY environment variable,
defaulting to false when not set.
@Rui0828 Rui0828 mentioned this pull request Dec 3, 2025
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

Overleaf docker on unRaid cookie problem, when creating admin account.

1 participant

@Rui0828