refactor: improve cookie handling

pkg/proxy/handler.go

@@ -91,7 +91,7 @@ func (p *Proxy) proxyRequest(cluster string, host *config.Host, w http.ResponseW
 	req.ContentLength = r.ContentLength
 	p.copyHeaders(r.Header, req.Header)
 	if p.config.PassthroughAuth {
-		if err := p.addAuthCookie(cluster, r, req.Header); err != nil {
+		if err := p.mangleCookies(cluster, r, req.Header); err != nil {
 			return err
 		}
 	}
@@ -120,7 +120,6 @@ func (p *Proxy) copyHeaders(src http.Header, dst http.Header) {
 			if k == "Content-Length" ||
 				k == "Transfer-Encoding" ||
 				k == "Accept-Encoding" ||
-				(p.config.PassthroughAuth && k == "Cookie") ||
 				k == "Sec-Websocket-Version" ||
 				k == "Connection" ||
 				k == "Upgrade" ||
@@ -168,7 +167,7 @@ func (p *Proxy) proxyWebsocket(cluster string, host *config.Host, w http.Respons
 	bhead := http.Header{}
 	p.copyHeaders(r.Header, bhead)
 	if p.config.PassthroughAuth {
-		if err := p.addAuthCookie(cluster, r, bhead); err != nil {
+		if err := p.mangleCookies(cluster, r, bhead); err != nil {
 			return err
 		}
 	}

pkg/proxy/sessions.go

@@ -187,7 +187,15 @@ func (p *Proxy) registerSession(log logrus.FieldLogger, sid uuid.UUID, cluster s
 	return nil
 }
 
-func (p *Proxy) addAuthCookie(cluster string, r *http.Request, h http.Header) error {
+func (p *Proxy) mangleCookies(cluster string, r *http.Request, h http.Header) error {
+	h.Del("Cookie")
+	for _, c := range r.Cookies() {
+		if c.Name != "PVEAuthCookie" &&
+			c.Name != clusterCookieName &&
+			c.Name != sessionCookieName {
+			h.Add("Cookie", c.String())
+		}
+	}
 	rsid, err := r.Cookie(sessionCookieName)
 	if errors.Is(err, http.ErrNoCookie) {
 		return nil