Patch #21169
closedUse config.relative_url_root as the default path for session and autologin cookies
0%
Description
Per default, Rails uses "/" as path in session cookies. When mounting
Redmine on a relative URL root, say '/redmine', the path in the cookie
should also say "/redmine". Otherwise a browsers sendsi the cookie to
all applications running on the same host. This is problematic when
running more than one Redmine instance on one server.
Fix it by setting the cookie path to config.relative_url_root when set,
"/" otherwise. Rails automatically sets this config from the environment
variable RAILS_RELATIVE_URL_ROOT.
Related to Patch #3968
Files
Related issues
Updated by Go MAEDA about 9 years ago
- Related to Defect #16489: Autologin Cookie doesn't differentiate between different Redmine systems within the same browser added
Updated by Daniel Ritz about 9 years ago
Thanks for pointing out the autologin cookie. Didn't notice it since I had it disabled.
I think it would make sense to use RAILS_RELATIVE_URL_ROOT for the autologin cookie too, but only as default value instead of "/". When autologin_cookie_path is set, that one should be used instead. Does that sound reasonable?
Updated by Daniel Ritz about 9 years ago
- File session-path-when-using-RAILS_RELATIVE_URL_ROOT_v2.patch session-path-when-using-RAILS_RELATIVE_URL_ROOT_v2.patch added
v2 of the patch with fix for autologin cookie path.
Updated by Jean-Philippe Lang about 9 years ago
- Subject changed from Fix session path when using RAILS_RELATIVE_URL_ROOT to Use config.relative_url_root as the default path for session and autologin cookies
- Status changed from New to Closed
- Assignee set to Jean-Philippe Lang
Committed, thanks.
Updated by Toshi MARUYAMA about 9 years ago
- Related to Feature #14237: Allow custom path for "_redmine_session_" cookie added