New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Fix to delete cookie when AppSubURL is non-empty #30375
Conversation
I made a mistake. I will recreate the PR or re-open once fixes have been made. |
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
They're not the same. When the Go code sees a path of That said, I have to figure out the failing tests. So we'll see where that leads me. |
Reverting the change to delete cookies with no path fixed the integration test failures. So maybe we don't want that change. I'm a little unclear about the reasoning behind this. I think it only matters when AppSubURL is empty, and we never observed a problem with on servers where it's empty. So I think this is fine. |
Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Kyle D <kdumontnu@gmail.com>
Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Kyle D <kdumontnu@gmail.com>
* giteaofficial/main: Fix JS error when opening to expanded code comment (go-gitea#30463) fix: Fix to delete cookie when AppSubURL is non-empty (go-gitea#30375) Add `interface{}` to `any` replacement to `make fmt`, exclude `*.pb.go` (go-gitea#30461) Fix network error when open/close organization/individual projects and redirect to project page (go-gitea#30387) Avoid losing token when updating mirror settings (go-gitea#30429) Fix label rendering (go-gitea#30456) Add comment for ContainsRedirectURI about the exact match (go-gitea#30457) Update JS and PY deps, lock eslint and related plugins (go-gitea#30452) Refactor cache and disable go-chi cache (go-gitea#30417) Fix admin notice view-detail (go-gitea#30450) Fix mirror error when mirror repo is empty (go-gitea#30432) Add `/public/assets/img/webpack` to ignore files again (go-gitea#30451) Lock a few tool dependencies to major versions (go-gitea#30439) Fix commit status cache which missed target_url (go-gitea#30426) Remove jQuery from the commit graph (except Fomantic) (go-gitea#30395) Fix rename branch 500 when the target branch is deleted but exist in database (go-gitea#30430) Limit the max line length when parsing git grep output (go-gitea#30418)
Backport #30375 by @jtran Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. Co-authored-by: Jonathan Tran <jonnytran@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Kyle D <kdumontnu@gmail.com>
Backport #30375 by @jtran Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. Co-authored-by: Jonathan Tran <jonnytran@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Kyle D <kdumontnu@gmail.com>
* origin/main: (35 commits) Remove fomantic button module (go-gitea#30475) Improve "must-change-password" logic and document (go-gitea#30472) Fix commitstatus summary (go-gitea#30431) Remove fomantic menu module (go-gitea#30325) Use `flex-container` for dashboard layout (go-gitea#30214) Rewrite and restyle reaction selector and enable no-sizzle eslint rule (go-gitea#30453) Pulse page improvements (go-gitea#30149) Fix JS error when opening to expanded code comment (go-gitea#30463) fix: Fix to delete cookie when AppSubURL is non-empty (go-gitea#30375) Add `interface{}` to `any` replacement to `make fmt`, exclude `*.pb.go` (go-gitea#30461) Fix network error when open/close organization/individual projects and redirect to project page (go-gitea#30387) Avoid losing token when updating mirror settings (go-gitea#30429) Fix label rendering (go-gitea#30456) Add comment for ContainsRedirectURI about the exact match (go-gitea#30457) Update JS and PY deps, lock eslint and related plugins (go-gitea#30452) Refactor cache and disable go-chi cache (go-gitea#30417) Fix admin notice view-detail (go-gitea#30450) Fix mirror error when mirror repo is empty (go-gitea#30432) Add `/public/assets/img/webpack` to ignore files again (go-gitea#30451) Lock a few tool dependencies to major versions (go-gitea#30439) ...
* origin/main: Improve flex ellipsis (go-gitea#30479) Remove fomantic button module (go-gitea#30475) Improve "must-change-password" logic and document (go-gitea#30472) Fix commitstatus summary (go-gitea#30431) Remove fomantic menu module (go-gitea#30325) Use `flex-container` for dashboard layout (go-gitea#30214) Rewrite and restyle reaction selector and enable no-sizzle eslint rule (go-gitea#30453) Pulse page improvements (go-gitea#30149) Fix JS error when opening to expanded code comment (go-gitea#30463) fix: Fix to delete cookie when AppSubURL is non-empty (go-gitea#30375) Add `interface{}` to `any` replacement to `make fmt`, exclude `*.pb.go` (go-gitea#30461) Fix network error when open/close organization/individual projects and redirect to project page (go-gitea#30387) Avoid losing token when updating mirror settings (go-gitea#30429)
Related to #30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions.
…ea#30584) Related to go-gitea#30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions.
…ea#30584) Related to go-gitea#30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions.
#30588) Backport #30584 by @wolfogre Related to #30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions. Co-authored-by: Jason Song <i@wolfogre.com>
#30589) Backport #30584 by @wolfogre Related to #30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions. Co-authored-by: Jason Song <i@wolfogre.com>
Problem
We were observing a redirect loop, either when logging out or when trying to view a private repo with an expired session. This only seems to happen when
AppSubURL
is non-empty.Using
release/v1.21
, several commits after the 1.21.10 release, on a server recently upgraded from 1.20.Steps to reproduce:
ROOT_URL
is configured tohttps://mydomain.com/sub_path/
)/sub_path
to/sub_path/
The logout only clears cookies in the
/sub_path
, not/sub_path/
. Due to PR #29599, the login page now sees the gitea cookie that can't be deleted, auto logs in, and then redirects back to the home page.Existing code already tries to delete the cookie at
/sub_path
. https://github.com/go-gitea/gitea/pull/24107/files#diff-7c540b84d46e33f1e7b33c7a4cc4daed15b765c11da81070d2313b42251aa48eR48-R53. But it doesn't delete cookies at/sub_path/
. #29552 changed the default value of the path, but it didn't update code that clears it.This is problematic because the longer path is more specific as far as the browser is concerned, and the browser prefers the old, outdated cookie with the trailing slash over newly set cookies. A similar problem may occur when no path is set on the cookie since browsers use the current page's path to determine the path of the cookie. The new, correct cookie path at the root should be
/
, but cookies without a path set may override it.The workaround was to clear browser cookies, which is not desirable.
Solution
This PR changes it so that whenever a cookie is written, we also clear legacy cookies that could override the cookie currently being written. In this way, cookies are lazily upgraded. In the interim, legacy cookies are still sent from the browser to the server and used. This is fine.
Cookies are written in
modules/web/middleware/cookie.go
, but also deep inside the chi dependency. Rather than modifying the latter, we clear legacy cookies whenever regenerating a session. This is required to handle the case of an expired session that would otherwise cause a redirect loop.Open to suggestions on a better approach.