New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[server] Fix domain scope for session cookie #1903
Changes from all commits
File filter
Filter by extension
Conversations
Jump to
Diff view
Diff view
There are no files selected for viewing
Original file line number | Diff line number | Diff line change |
---|---|---|
|
@@ -43,11 +43,25 @@ export class SessionHandlerProvider { | |
} | ||
|
||
protected getCookieOptions(env: Env): express.CookieOptions { | ||
const hostParts = env.hostUrl.url.host.split('.'); | ||
const baseDomain = hostParts.slice(hostParts.length - 2).join('.'); | ||
let domain = `.${baseDomain}`; | ||
const hostName = env.hostUrl.url.host; | ||
|
||
let domain = hostName; | ||
if (env.devBranch) { | ||
// Use cookie for base domain to allow cookies being sent via ingress proxy in preview environments | ||
// | ||
// Otherwise, clients (in this case Chrome) may ignore (as in: save it, but don't send it on consequent requests) the 'Set-Cookie:...' send with a redirect (302, to github oauth) | ||
// For details, see: | ||
// - RFC draft sameSite: http://httpwg.org/http-extensions/draft-ietf-httpbis-cookie-same-site.html | ||
// - https://bugs.chromium.org/p/chromium/issues/detail?id=150066 | ||
// - google: chromium not sending cookies set with redirect | ||
|
||
const hostParts = hostName.split('.'); | ||
const baseDomain = hostParts.slice(hostParts.length - 2).join('.'); | ||
domain = `.${baseDomain}`; | ||
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. I think we need the dot prefixing in all cases, as we want tosend the cookie with requests to subdomains as well, no? There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie cf. Domain
There was a problem hiding this comment. Choose a reason for hiding this commentThe reason will be displayed to describe this comment to others. Learn more. then let's remove the dot here as well. |
||
} | ||
|
||
if (this.env.insecureNoDomain) { | ||
domain = baseDomain.split(":")[0]; | ||
domain = hostName.split(":")[0]; | ||
} | ||
|
||
return { | ||
|
@@ -56,12 +70,7 @@ export class SessionHandlerProvider { | |
secure: false, // default, TODO SSL! Config proxy | ||
maxAge: env.sessionMaxAgeMs, // configured in Helm chart, defaults to 3 days. | ||
sameSite: "lax", // default: true. "Lax" needed for OAuth. | ||
domain: `${domain}` // Use cookie for base domain (works for *.staging.gitpod.io because of the name, see below) | ||
// Otherwise, clients (in this case Chrome) may ignore (as in: save it, but don't send it on consequent requests) the 'Set-Cookie:...' send with a redirect (302, to github oauth) | ||
// For details, see: | ||
// - RFC draft sameSite: http://httpwg.org/http-extensions/draft-ietf-httpbis-cookie-same-site.html | ||
// - https://bugs.chromium.org/p/chromium/issues/detail?id=150066 | ||
// - google: chromium not sending cookies set with redirect | ||
domain: `${domain}` | ||
}; | ||
} | ||
|
||
|
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I wonder why the slicing and special handling is necessary here. Also in dev staging all the requests should go to the hostname URL. Is that not the case?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
exactly. I recall, why this is actually needed. in dev staging preview environments we have the ingress proxy which terminates https connections, which is a crucial part in the login process, right? the URL of the ingress proxy has no namespace prefix at all, that's why we've chosen the sliced version of it. this allows those cookies to be present on ingress proxy requests, which are then forwarded to the services.