Authentication

Configure login methods, API access, rate limiting, and password storage.

Comicarr supports HTTP authentication, API key access, and several security hardening features.

HTTP Authentication

SettingTypeDefaultDescription
HTTP_USERNAMEstringLogin username.
HTTP_PASSWORDstringLogin password. Stored as a bcrypt hash.

Authentication Mode

SettingTypeDefaultDescription
AUTHENTICATIONint0Authentication method: 0 = basic HTTP auth, 1 = form login, 2 = form-based login.

Standard HTTP Basic authentication. The browser shows a native username/password dialog. Set AUTHENTICATION to 0.

This mode is simplest but does not support session management or login timeout. Credentials are sent with every request.

A web-based login form served by Comicarr. Set AUTHENTICATION to 1 or 2.

Form login supports session management, login timeout, and rate limiting. This is the recommended mode for most deployments.

Session Management

SettingTypeDefaultDescription
LOGIN_TIMEOUTint43800Session timeout in minutes. Default is approximately 30 days (43,800 minutes).

Sessions are tracked server-side. The session key is regenerated on each successful login to prevent session fixation.

API Access

SettingTypeDefaultDescription
API_ENABLEDboolFalseEnable the REST API.
API_KEYstringAPI key for authenticating API requests. Encrypted at rest.

The API key is separate from your login credentials. Generate one through the UI on the Settings > Web Interface page. Pass it as the apikey query parameter or the X-Api-Key header.

Rate Limiting

Comicarr enforces rate limiting on the login endpoint to protect against brute-force attacks.

ParameterValue
Maximum attempts5 per IP
Lockout duration300 seconds (5 minutes)

After 5 failed login attempts from a single IP address, that IP is locked out for 300 seconds. No configuration options exist for these values -- they are hardcoded for security.

Password Storage

Comicarr uses bcrypt with 12 salt rounds for password hashing.

SettingTypeDefaultDescription
ENCRYPT_PASSWORDSboolTrueEnable bcrypt hashing for stored passwords.
SECURE_DIRstringDirectory for security-sensitive files (e.g. master.key). Defaults to <config_dir>/secure.

Password Lifecycle

Password set via UI

The user enters a plaintext password on the settings page.

Bcrypt hash generated

Comicarr hashes the password using bcrypt with 12 rounds and stores only the hash in config.ini.

Login verification

On login, the submitted password is compared against the stored bcrypt hash. The plaintext password is never stored.

Legacy Migration

Older installations may have passwords stored as base64-encoded strings. Comicarr detects these on startup and automatically migrates them to bcrypt hashes. No user action is required.

Do not manually edit HTTP_PASSWORD in config.ini. The value must be a valid bcrypt hash. Use the web UI to change your password.

Notifications

Configure Discord, Telegram, Slack, email, and 8 more notification providers.

Migration

Migrate your existing Mylar3 library and configuration to Comicarr.

On this page

HTTP AuthenticationAuthentication ModeSession ManagementAPI AccessRate LimitingPassword StoragePassword LifecyclePassword set via UIBcrypt hash generatedLogin verificationLegacy Migration