Fixed for HTTP session with reverse proxies.

meshagent.js

@@ -1556,7 +1556,7 @@ module.exports.CreateMeshAgent = function (parent, db, ws, req, args, domain) {
                     // Complete 2FA checking
                     if (authCookie.a == 'checkAuth') {
                         // TODO
-                        console.log(authCookie);
+                        //console.log(authCookie);
                     }
 
                     break;

views/default.handlebars

@@ -2032,7 +2032,8 @@
             QV('authKeySetupCheck', userinfo.otphkeys > 0);
             QV('authPushAuthDevCheck', (userinfo.otpdev > 0) && ((features2 & 2) != 0));
             QV('authCodesSetupCheck', userinfo.otpkeys > 0);
-            QV('managePushAuthDev', (features2 & 2) && (count2factoraAuths() > 0));
+            //QV('managePushAuthDev', (features2 & 2) && (count2factoraAuths() > 0));
+            QV('managePushAuthDev', false);
             mainUpdate(4 + 128 + 4096);
 
             // Check if none or at least 2 factors are enabled.

webserver.js

@@ -5153,7 +5153,7 @@ module.exports.CreateWebServer = function (parent, db, args, certificates) {
             name: 'xid', // Recommended security practice to not use the default cookie name
             httpOnly: true,
             keys: [obj.args.sessionkey], // If multiple instances of this server are behind a load-balancer, this secret must be the same for all instances
-            secure: true // Use this cookie only over TLS (Check this: https://expressjs.com/en/guide/behind-proxies.html)
+            secure: (obj.args.tlsoffload == null) // Use this cookie only over TLS (Check this: https://expressjs.com/en/guide/behind-proxies.html)
         }
         if (obj.args.sessionsamesite != null) { sessionOptions.sameSite = obj.args.sessionsamesite; } else { sessionOptions.sameSite = 'strict'; }
         if (obj.args.sessiontime != null) { sessionOptions.maxAge = (obj.args.sessiontime * 60 * 1000); }