From c0395eb97a939bebb59c3a025ee2ecab7614d0cd Mon Sep 17 00:00:00 2001
From: Quantum <quantum2048@gmail.com>
Date: Sun, 20 Jul 2025 17:29:01 -0400
Subject: [PATCH] Don't create cookies when mTLS is used

---
 nginx_krbauth.py | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/nginx_krbauth.py b/nginx_krbauth.py
index 8c0693a..05f5c0d 100644
--- a/nginx_krbauth.py
+++ b/nginx_krbauth.py
@@ -192,7 +192,8 @@ def auth() -> Response:
     authorization = request.headers.get('Authorization', '')
 
     if check_tls():
-        return auth_success(context, next_url)
+        # No cookie required since the check endpoint can trivially verify mTLS.
+        return redirect(next_url, code=307)
     if ENABLE_GSSAPI and authorization.startswith('Negotiate '):
         return auth_spnego(context, next_url)
     if LDAP_USER_DN and authorization.startswith('Basic '):