Subdomains use same password as domain

[Timon-D3v]

Is there an existing issue for this?

• I have searched the existing issues

OS/Web Information

• Web Browser: Opera GX / Brave / Chrome
• Local OS: Windows / Arch
• Remote OS: TrueNAS Scale
• Remote Architecture: x64
• code-server --version: 4.105.1-ls303

Steps to Reproduce

1. Create two instances of code server that use a password (not the same for both instances)
2. Map them to domains like follows:
   • 1. Instance: code.example.com
   • 2. Instance: node2.code.example.com
3. Log in to Instance 1 with your password
4. Try to log in to Instance 2

Expected

You should be able to just normally log in to the other instance (or at least get an error message saying: wrong password || credentials too old || cannot verify credentials)

Actual

The user gets redirected to the login page without any message whatsoever.

Logs

Note: I don't know how to run it in verbose mode in my docker setup, sorry. But I don't think it is really needed.


Node 1:
2025-10-30 18:09:52.314255+00:00[migrations] started
2025-10-30 18:09:52.314472+00:00[migrations] no migrations found
2025-10-30 18:09:53.063863+00:00usermod: user abc is currently used by process 1
2025-10-30 18:09:53.066090+00:00───────────────────────────────────────
2025-10-30 18:09:53.066142+00:002025-10-30T18:09:53.066142504Z
2025-10-30 18:09:53.066190+00:00██╗     ███████╗██╗ ██████╗
2025-10-30 18:09:53.066220+00:00██║     ██╔════╝██║██╔═══██╗
2025-10-30 18:09:53.066243+00:00██║     ███████╗██║██║   ██║
2025-10-30 18:09:53.066266+00:00██║     ╚════██║██║██║   ██║
2025-10-30 18:09:53.066303+00:00███████╗███████║██║╚██████╔╝
2025-10-30 18:09:53.066326+00:00╚══════╝╚══════╝╚═╝ ╚═════╝
2025-10-30 18:09:53.066350+00:002025-10-30T18:09:53.066350047Z
2025-10-30 18:09:53.066385+00:00Brought to you by linuxserver.io
2025-10-30 18:09:53.066408+00:00───────────────────────────────────────
2025-10-30 18:09:53.066759+00:002025-10-30T18:09:53.066759013Z
2025-10-30 18:09:53.066811+00:00To support LSIO projects visit:
2025-10-30 18:09:53.066839+00:00https://www.linuxserver.io/donate/
2025-10-30 18:09:53.066883+00:002025-10-30T18:09:53.066883985Z
2025-10-30 18:09:53.066907+00:00───────────────────────────────────────
2025-10-30 18:09:53.066932+00:00GID/UID
2025-10-30 18:09:53.066955+00:00───────────────────────────────────────
2025-10-30 18:09:53.072499+00:002025-10-30T18:09:53.072499186Z
2025-10-30 18:09:53.072547+00:00User UID:    0
2025-10-30 18:09:53.072572+00:00User GID:    0
2025-10-30 18:09:53.072595+00:00───────────────────────────────────────
2025-10-30 18:09:53.074429+00:00Linuxserver.io version: 4.105.1-ls303
2025-10-30 18:09:53.074722+00:00Build-date: 2025-10-25T20:22:31+00:00
2025-10-30 18:09:53.074769+00:00───────────────────────────────────────
2025-10-30 18:09:53.074795+00:002025-10-30T18:09:53.074795319Z
2025-10-30 18:09:53.156002+00:00[custom-init] No custom files found, skipping...
2025-10-30 18:09:53.660332+00:00[2025-10-30T18:09:53.656Z] info  code-server 4.105.1 811ec6c1d60add2eb92446161ca812828fdbaa7f
2025-10-30 18:09:53.661079+00:00[2025-10-30T18:09:53.658Z] info  Using user-data-dir /config/data
2025-10-30 18:09:53.670893+00:00[2025-10-30T18:09:53.670Z] info  Using config file /config/.config/code-server/config.yaml
2025-10-30 18:09:53.670998+00:00[2025-10-30T18:09:53.670Z] info  HTTP server listening on http://0.0.0.0:8443/
2025-10-30 18:09:53.671042+00:00[2025-10-30T18:09:53.670Z] info    - Authentication is enabled
2025-10-30 18:09:53.671059+00:00[2025-10-30T18:09:53.670Z] info      - Using password from $PASSWORD
2025-10-30 18:09:53.671076+00:00[2025-10-30T18:09:53.670Z] info    - Not serving HTTPS
2025-10-30 18:09:53.671214+00:00[2025-10-30T18:09:53.670Z] info  Session server listening on /config/data/code-server-ipc.sock
2025-10-30 18:09:54.189363+00:00Connection to 127.0.0.1 8443 port [tcp/*] succeeded!
2025-10-30 18:09:54.210548+00:00[ls.io-init] done.
2025-10-30 18:09:57.107041+00:00[19:09:57] 
2025-10-30 18:09:57.107116+00:002025-10-30T18:09:57.107116364Z
2025-10-30 18:09:57.107130+00:002025-10-30T18:09:57.107130874Z
2025-10-30 18:09:57.107143+00:002025-10-30T18:09:57.107143844Z
2025-10-30 18:09:57.107157+00:002025-10-30T18:09:57.107157114Z
2025-10-30 18:09:57.153018+00:00[19:09:57] Extension host agent started.
2025-10-30 18:12:32.583813+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda.js
2025-10-30 18:12:32.585191+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda_bg.wasm
2025-10-30 18:12:32.597616+00:00[19:12:32] [172.16.6.1][db85d9fd][ManagementConnection] New connection established.
2025-10-30 18:12:33.047421+00:00[19:12:33] [172.16.6.1][61af9471][ExtensionHostConnection] New connection established.
2025-10-30 18:12:33.138693+00:00[19:12:33] [172.16.6.1][61af9471][ExtensionHostConnection] <1317> Launched Extension Host Process.
2025-10-30 18:17:54.373499+00:00[19:17:54] [172.16.6.1][db85d9fd][ManagementConnection] The client has disconnected gracefully, so the connection will be disposed.
2025-10-30 18:17:54.442345+00:00[19:17:54] [172.16.6.1][61af9471][ExtensionHostConnection] <1317> Extension Host Process exited with code: 0, signal: null.
2025-10-30 18:17:55.101222+00:00[19:17:55] [172.16.6.1][f2f67548][ManagementConnection] New connection established.
2025-10-30 18:17:55.173520+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda_bg.wasm
2025-10-30 18:17:55.411564+00:00[19:17:55] [172.16.6.1][8ac29590][ExtensionHostConnection] New connection established.
2025-10-30 18:17:55.418260+00:00[19:17:55] [172.16.6.1][8ac29590][ExtensionHostConnection] <3782> Launched Extension Host Process.
2025-10-30 18:21:05.463028+00:00[19:21:05] [172.16.6.1][f2f67548][ManagementConnection] The client has disconnected gracefully, so the connection will be disposed.
2025-10-30 18:21:05.527846+00:00[19:21:05] [172.16.6.1][8ac29590][ExtensionHostConnection] <3782> Extension Host Process exited with code: 0, signal: null.
2025-10-30 19:34:00.117881+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda.js
2025-10-30 19:34:00.119565+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda_bg.wasm
2025-10-30 19:34:00.126297+00:00[20:34:00] [172.16.6.1][e6eac3b4][ManagementConnection] New connection established.
2025-10-30 19:34:00.977799+00:00[20:34:00] [172.16.6.1][0c04f54f][ExtensionHostConnection] New connection established.
2025-10-30 19:34:00.989010+00:00[20:34:00] [172.16.6.1][0c04f54f][ExtensionHostConnection] <12149> Launched Extension Host Process.
2025-10-30 19:34:39.794846+00:00[20:34:39] [172.16.6.1][e6eac3b4][ManagementConnection] The client has disconnected gracefully, so the connection will be disposed.
2025-10-30 19:34:39.862221+00:00[20:34:39] [172.16.6.1][0c04f54f][ExtensionHostConnection] <12149> Extension Host Process exited with code: 0, signal: null.
2025-10-30 19:34:40.541877+00:00[20:34:40] [172.16.6.1][14a2aa2b][ManagementConnection] New connection established.
2025-10-30 19:34:40.607705+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda_bg.wasm
2025-10-30 19:34:40.958048+00:00[20:34:40] [172.16.6.1][40076eb2][ExtensionHostConnection] New connection established.
2025-10-30 19:34:40.968801+00:00[20:34:40] [172.16.6.1][40076eb2][ExtensionHostConnection] <13440> Launched Extension Host Process.
2025-10-30 19:56:23.601570+00:00[20:56:23] [172.16.6.1][14a2aa2b][ManagementConnection] The client has disconnected gracefully, so the connection will be disposed.
2025-10-30 19:56:23.704190+00:00[20:56:23] [172.16.6.1][40076eb2][ExtensionHostConnection] <13440> Extension Host Process exited with code: 0, signal: null.
2025-10-30 19:56:24.141770+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda_bg.wasm
2025-10-30 19:56:24.144388+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda.js
2025-10-30 19:56:24.148603+00:00[20:56:24] [172.16.6.1][512c609c][ManagementConnection] New connection established.
2025-10-30 19:56:24.415504+00:00[20:56:24] [172.16.6.1][15567b19][ExtensionHostConnection] New connection established.
2025-10-30 19:56:24.424600+00:00[20:56:24] [172.16.6.1][15567b19][ExtensionHostConnection] <20333> Launched Extension Host Process.
2025-10-30 19:57:47.734898+00:00[20:57:47] [172.16.6.1][512c609c][ManagementConnection] The client has disconnected gracefully, so the connection will be disposed.
2025-10-30 19:57:47.795912+00:00[20:57:47] [172.16.6.1][15567b19][ExtensionHostConnection] <20333> Extension Host Process exited with code: 0, signal: null.
2025-10-30 19:57:48.189060+00:00[20:57:48] [172.16.6.1][d75db4cf][ManagementConnection] New connection established.
2025-10-30 19:57:48.260265+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda_bg.wasm
2025-10-30 19:57:48.438815+00:00[20:57:48] [172.16.6.1][d9186fe6][ExtensionHostConnection] New connection established.
2025-10-30 19:57:48.468452+00:00[20:57:48] [172.16.6.1][d9186fe6][ExtensionHostConnection] <21136> Launched Extension Host Process.
2025-10-30 20:16:02.615872+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda.js
2025-10-30 20:16:02.616141+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda_bg.wasm
2025-10-30 20:16:02.625349+00:00[21:16:02] [172.16.6.1][34c134b3][ManagementConnection] New connection established.
2025-10-30 20:16:03.059482+00:00[21:16:03] [172.16.6.1][54bfee9e][ExtensionHostConnection] New connection established.
2025-10-30 20:16:03.068775+00:00[21:16:03] [172.16.6.1][54bfee9e][ExtensionHostConnection] <26732> Launched Extension Host Process.













Node 2:
2025-10-30 20:06:59.956411+00:00[migrations] started
2025-10-30 20:06:59.956703+00:00[migrations] no migrations found
2025-10-30 20:07:00.069345+00:00usermod: user abc is currently used by process 1
2025-10-30 20:07:00.070798+00:00───────────────────────────────────────
2025-10-30 20:07:00.070827+00:002025-10-30T20:07:00.070827745Z
2025-10-30 20:07:00.070858+00:00██╗     ███████╗██╗ ██████╗
2025-10-30 20:07:00.070873+00:00██║     ██╔════╝██║██╔═══██╗
2025-10-30 20:07:00.070888+00:00██║     ███████╗██║██║   ██║
2025-10-30 20:07:00.070902+00:00██║     ╚════██║██║██║   ██║
2025-10-30 20:07:00.070924+00:00███████╗███████║██║╚██████╔╝
2025-10-30 20:07:00.070939+00:00╚══════╝╚══════╝╚═╝ ╚═════╝
2025-10-30 20:07:00.070953+00:002025-10-30T20:07:00.070953948Z
2025-10-30 20:07:00.070974+00:00Brought to you by linuxserver.io
2025-10-30 20:07:00.070989+00:00───────────────────────────────────────
2025-10-30 20:07:00.071325+00:002025-10-30T20:07:00.071325419Z
2025-10-30 20:07:00.071386+00:00To support LSIO projects visit:
2025-10-30 20:07:00.071401+00:00https://www.linuxserver.io/donate/
2025-10-30 20:07:00.071433+00:002025-10-30T20:07:00.071433074Z
2025-10-30 20:07:00.071447+00:00───────────────────────────────────────
2025-10-30 20:07:00.071463+00:00GID/UID
2025-10-30 20:07:00.071477+00:00───────────────────────────────────────
2025-10-30 20:07:00.076182+00:002025-10-30T20:07:00.076182850Z
2025-10-30 20:07:00.076217+00:00User UID:    0
2025-10-30 20:07:00.076231+00:00User GID:    0
2025-10-30 20:07:00.076245+00:00───────────────────────────────────────
2025-10-30 20:07:00.077840+00:00Linuxserver.io version: 4.105.1-ls303
2025-10-30 20:07:00.078016+00:00Build-date: 2025-10-25T20:22:31+00:00
2025-10-30 20:07:00.078046+00:00───────────────────────────────────────
2025-10-30 20:07:00.078061+00:002025-10-30T20:07:00.078061477Z
2025-10-30 20:07:00.144052+00:00[custom-init] No custom files found, skipping...
2025-10-30 20:07:01.051850+00:00[2025-10-30T20:07:01.044Z] info  code-server 4.105.1 811ec6c1d60add2eb92446161ca812828fdbaa7f
2025-10-30 20:07:01.052524+00:00[2025-10-30T20:07:01.050Z] info  Using user-data-dir /config/data
2025-10-30 20:07:01.073456+00:00[2025-10-30T20:07:01.073Z] info  Using config file /config/.config/code-server/config.yaml
2025-10-30 20:07:01.073545+00:00[2025-10-30T20:07:01.073Z] info  HTTP server listening on http://0.0.0.0:8443/
2025-10-30 20:07:01.073566+00:00[2025-10-30T20:07:01.073Z] info    - Authentication is enabled
2025-10-30 20:07:01.073963+00:00[2025-10-30T20:07:01.073Z] info      - Using password from $PASSWORD
2025-10-30 20:07:01.073995+00:00[2025-10-30T20:07:01.073Z] info    - Not serving HTTPS
2025-10-30 20:07:01.074206+00:00[2025-10-30T20:07:01.073Z] info  Session server listening on /config/data/code-server-ipc.sock
2025-10-30 20:07:01.174420+00:00Connection to 127.0.0.1 8443 port [tcp/*] succeeded!
2025-10-30 20:07:01.190498+00:00[ls.io-init] done.
2025-10-30 20:07:05.207395+00:00[21:07:05] 
2025-10-30 20:07:05.207497+00:002025-10-30T20:07:05.207497453Z
2025-10-30 20:07:05.207512+00:002025-10-30T20:07:05.207512645Z
2025-10-30 20:07:05.207526+00:002025-10-30T20:07:05.207526621Z
2025-10-30 20:07:05.207540+00:002025-10-30T20:07:05.207540624Z
2025-10-30 20:07:05.290693+00:00[21:07:05] Extension host agent started.
2025-10-30 20:07:06.835663+00:00[21:07:06] [192.168.1.112][d5cd8bc7] Client refused: version mismatch.
2025-10-30 20:07:06.946100+00:00[21:07:06] [192.168.1.112][1f59a838] Client refused: version mismatch.
2025-10-30 20:07:32.361421+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda_bg.wasm
2025-10-30 20:07:32.362642+00:00File not found: /app/code-server/lib/vscode/node_modules/vsda/rust/web/vsda.js
2025-10-30 20:07:32.371231+00:00[21:07:32] [192.168.1.112][dc700ea0][ManagementConnection] New connection established.
2025-10-30 20:07:32.818816+00:00[21:07:32] [192.168.1.112][5ffa1673][ExtensionHostConnection] New connection established.
2025-10-30 20:07:33.038488+00:00[21:07:33] [192.168.1.112][5ffa1673][ExtensionHostConnection] <1096> Launched Extension Host Process.

Screenshot/Video

Screenshot of the cookie tab of my browser

Does this bug reproduce in native VS Code?

This cannot be tested in native VS Code

Does this bug reproduce in GitHub Codespaces?

This cannot be tested in GitHub Codespaces

Are you accessing code-server over a secure context?

• I am using a secure context.

Notes

I am pretty sure the issue is that the cookie code-server-session gets set for .code.example.com (meaning for code.exmaple.com and all subdomains)

It is also worth metioning that this only happens if you log in to Instance 1 first.

So what I think is happening is that the backend checks for a cookie with the name code-server-session and just takes the first one it sees if it matches loosly. So when I log in to Instance 2 first, the server checks that one first and thus is works. However if I log in to Instance 1 first, Instance 2 finds the cookie of Instance 1 and since it also matches the pattern of *.code.example.com it takes it. Then realizes that it is not valid and redirects to the login page without a message (Because it thinks that the cookie is just old an you should log in again?).

So to fix this issue I would suggest to check the cookie strict and not loose. (Or check if there is a cookie that is even more explicit than the first one it sees)

(Dirty fix for the time beeing: Just create two domais that have the same depth e.g.:

• Instance 1: node1.code.example.com
• Instance 2: node2.code.example.com
  )

Cheers :)

[code-asher]

Ah yeah, we set it that way so the cookie can be used for the subdomain port proxy without having to log in for every port (like 8080.my-domain.tld, etc).

Makes sense to me to check all the cookies starting from the most explicit to least explicit.

Also, maybe we should avoid setting the cookie that way when the proxy is not enabled.

Thank you for the thorough bug report!

[Timon-D3v]

So you think I could work it out? I know typescript and web developement, but i am not so sure if i can catch the entire context.
So if you think this issue is intermediate friendly I would be willing to contribute.

[code-asher]

Appreciate the willingness! I think it should be straightforward to check the cookies but I am not entirely sure about getting them.

In node/util.ts we have isCookieValid which would need to take a string[] instead of a string for cookieKey (not sure why it is called key, seems like it should be value, but I digress). Then I guess we can probably just sort the cookie values by length and check them in order, longest first? And there will be some tests to update.

BUT an open question in my mind is how to get all the cookie values. We use Express and req.cookies["code-server-session"] to get the cookie. Does this only return one cookie when there are multiple? Or do we get an array? If it always returns one, then I assume we will have to parse req.headers.cookie ourselves. I am not sure how involved that is, hopefully it is as simple as splitting by ; then looping and splitting by =.

[code-asher]

For the second thing, not setting the cookie that way when the proxy is not enabled, this would be a trivial change to getCookieDomain in node/http (return undefined if no proxy domains). But actually I think we may want to avoid this for now, it would be a breaking change and it would also be awkward if someone was to later add a proxy domain after having logged in once.

[code-asher]

The hardest part will probably be just to get code-server running haha, VS Code has a bunch of dependencies: https://github.com/coder/code-server/blob/main/docs/CONTRIBUTING.md#requirements

And it is really, really slow, both to build, and to load VS Code in the browser (it loads every file individually instead of bundling them and this seems to take forever).