From 6b00bb0a6639039b7f6348ff7ce4fd35ca675386 Mon Sep 17 00:00:00 2001
From: Viktor Liu <viktor@netbird.io>
Date: Tue, 10 Feb 2026 18:27:03 +0800
Subject: [PATCH] Strip session_token on redirect

---
 proxy/internal/auth/middleware.go | 17 ++++++++++++++++-
 1 file changed, 16 insertions(+), 1 deletion(-)

diff --git a/proxy/internal/auth/middleware.go b/proxy/internal/auth/middleware.go
index 0a98efe59..92b4a74a8 100644
--- a/proxy/internal/auth/middleware.go
+++ b/proxy/internal/auth/middleware.go
@@ -7,6 +7,7 @@ import (
 	"fmt"
 	"net"
 	"net/http"
+	"net/url"
 	"sync"
 	"time"
 
@@ -124,7 +125,8 @@ func (mw *Middleware) Protect(next http.Handler) http.Handler {
 				if cd := proxy.CapturedDataFromContext(r.Context()); cd != nil {
 					cd.SetOrigin(proxy.OriginAuth)
 				}
-				http.Redirect(w, r, r.URL.RequestURI(), http.StatusSeeOther)
+				redirectURL := stripSessionTokenParam(r.URL)
+				http.Redirect(w, r, redirectURL, http.StatusSeeOther)
 				return
 			}
 			methods[scheme.Type().String()] = promptData
@@ -173,3 +175,16 @@ func (mw *Middleware) RemoveDomain(domain string) {
 	defer mw.domainsMux.Unlock()
 	delete(mw.domains, domain)
 }
+
+// stripSessionTokenParam returns the request URI with the session_token query
+// parameter removed so it doesn't linger in the browser's address bar or history.
+func stripSessionTokenParam(u *url.URL) string {
+	q := u.Query()
+	if !q.Has("session_token") {
+		return u.RequestURI()
+	}
+	q.Del("session_token")
+	clean := *u
+	clean.RawQuery = q.Encode()
+	return clean.RequestURI()
+}