Cloudflared + DT Security Issue

I’ve run into a weird security issue.

The problem

When using cloudflared to create a tunnel to DEVONthink Server, login credentials appear to be shared with anyone else who also visits the site during the time a user is logged in.


I have a Zero Trust team set up. Using cloudflared to open a tunnel from Zero Trust to my home network with ingress rules to point various subdomains to specific servers. Cloudflare is handling DNS and points three subdomains to the cloudflared tunnel, which are then routed: points to my Calibre server, points to my Plex server, and points to DT server.

All seem to work fine (something I could never get with caddy, nginx, or OpenVPN) with one glaring exception. Once I log in to DT Server from a browser, it is served to anyone without requiring credentials. E.g., if I log in from my computer, and my daughter points her browser on her MBA to the login window is bypassed and she has my access to the databases. My brother in another state, same thing–and as soon as I log out, they can no longer see anything (or rather, they see the weird 403 errors that occur when you’ve left a session open and it times out and you try to click on something).

This does NOT happen with Calibre or Plex, when I am logged in and someone else goes to those URLs, they are presented with the appropriate login screen and must log in before accessing those services–only DT Server seems to be bypassing the log-in screen if someone is already logged in.

Config Info

Software versions

macOS: 11.6.7
DT Server: 3.8.4
cloudflared: 2022.7.1

My cloudflared config.yaml:

tunnel: TUNNEL ID
credentials-file: /Users/username/.cloudflared/TUNNEL ID.json
  enabled: true

  - hostname:
    service: http://localhost:50677
  - hostname:
  - hostname:
    service: http://localhost:32400
       noTLSVerify: true
  - service: http_status:404

My CNAME entries on Cloudflare

My Zero Trust Tunnel

Does that do any load balancing? Are there some tricks going on with cookies causing every http visitor to present the same payload?

You could turn on the apache web server in your macos, set up simple auth to a “hello, world” web page, and see if it gets confused about logins, too.


No load balancing or weird ccokies that I’ve changed from the default settings.

I set up a simple web page with basic auth, and while logged in, making other attempt also log in, which is consistent with the way Calibre server and Plex server are running–it only seems to affect DT.

Are all of you using the same browser? I’m just asking because I remember some recent trouble with Firefox log-ins.

The next release will slightly revise the cookie handling, maybe this will fix this CloudFlare issue too.

1 Like

Safari, Firefox, Vivaldi, Edge, and Chrome on a combination of the last few releases of macOS and Windows 10.

and Windows 10.

Why not Windows 11?

I’m no lover of the platform (though I’ve used it for years), but Windows 11 is way nicer than 10.

Seems like there must be some kind of man-in-the-middle effect going on. I assume the Devonthink server is basically REST, so persistence is the job of the visiting client.

When a second visitor gets in on a first user’s credentials, does the second user drop into the same view of DT as the first had?

Another test would be to have one simple Apache page, authenticated or not, set a cookie and let another page display the cookie. If one user could get the cookie set and the next one view it, that would be evidence as to the problem being in DT or not.

Work computer in a healthcare setting–they only moved us from Windows 7 in 2020…

1 Like

Each user can browse independently–but if either logs out, both are now logged out.

Well, there you go. I would have bet good money on that being impossible. The credentials must be carried by the visitor as cookies.

About the only other thing I can think of at the moment is to use your browser’s developer tools and compare cookies on two browsers.

My guess is you’ll see session cookies for authentication. They should be different for different users.

If you’re running two browser instances on the same machine, that would be a different situation. For different browsers on different machines, login and authentication should be separate - or at least that’s what it seems to me as a guess without information.

1 Like

If either the browser, the computer or the current user account (the one of the system, not the one of the server) are different, then the cookies should be definitely different and independent.

As soon as the next release will be available, please enable the hidden preference ServerDebugLog and try to reproduce the issue.

The file ~/Library/Application Support/DEVONthink 3/Console.log plus the time of your login and the time of somebody else accessing the web interface without being prompted to login would be great.

Or if you’re interested in a beta, just let me know.


While I’d love to try the beta–I also know that my weekend is already full. Either way, I’ll test as soon as possible.

1 Like