Patch #21169

Use config.relative_url_root as the default path for session and autologin cookies

Added by Daniel Ritz about 5 years ago. Updated about 5 years ago.

Status:ClosedStart date:
Priority:NormalDue date:
Assignee:Jean-Philippe Lang% Done:

0%

Category:Accounts / authentication
Target version:3.2.0

Description

Per default, Rails uses "/" as path in session cookies. When mounting
Redmine on a relative URL root, say '/redmine', the path in the cookie
should also say "/redmine". Otherwise a browsers sendsi the cookie to
all applications running on the same host. This is problematic when
running more than one Redmine instance on one server.

Fix it by setting the cookie path to config.relative_url_root when set,
"/" otherwise. Rails automatically sets this config from the environment
variable RAILS_RELATIVE_URL_ROOT.

Related to Patch #3968

session-path-when-using-RAILS_RELATIVE_URL_ROOT.patch Magnifier (737 Bytes) Daniel Ritz, 2015-11-06 20:01

session-path-when-using-RAILS_RELATIVE_URL_ROOT_v2.patch Magnifier - session cookie and autologin cookie path (1.3 KB) Daniel Ritz, 2015-11-07 15:40

Related issues

Related to Redmine - Defect #16489: Autologin Cookie doesn't differentiate between different ... Closed
Related to Redmine - Feature #14237: Allow custom path for "_redmine_session_" cookie Closed

Associated revisions

Revision 14876
Added by Jean-Philippe Lang about 5 years ago

Use config.relative_url_root as the default path for session and autologin cookies (#21169).

Patch by Daniel Ritz.

History

#1 Updated by Go MAEDA about 5 years ago

  • Related to Defect #16489: Autologin Cookie doesn't differentiate between different Redmine systems within the same browser added

#2 Updated by Daniel Ritz about 5 years ago

Thanks for pointing out the autologin cookie. Didn't notice it since I had it disabled.

I think it would make sense to use RAILS_RELATIVE_URL_ROOT for the autologin cookie too, but only as default value instead of "/". When autologin_cookie_path is set, that one should be used instead. Does that sound reasonable?

#3 Updated by Daniel Ritz about 5 years ago

v2 of the patch with fix for autologin cookie path.

#4 Updated by Daniel Ritz about 5 years ago

Also related to #14237.

#5 Updated by Jean-Philippe Lang about 5 years ago

  • Target version set to 3.2.0

#6 Updated by Jean-Philippe Lang about 5 years ago

  • Subject changed from Fix session path when using RAILS_RELATIVE_URL_ROOT to Use config.relative_url_root as the default path for session and autologin cookies
  • Status changed from New to Closed
  • Assignee set to Jean-Philippe Lang

Committed, thanks.

#7 Updated by Toshi MARUYAMA about 5 years ago

  • Related to Feature #14237: Allow custom path for "_redmine_session_" cookie added

Also available in: Atom PDF