Project

General

Profile

Actions

Patch #3968

closed

session cookie path does not respect RAILS_RELATIVE_URL_ROOT

Added by Jérémy Lal over 14 years ago. Updated over 13 years ago.

Status:
Closed
Priority:
High
Assignee:
Category:
Documentation
Target version:
Start date:
2009-10-04
Due date:
% Done:

100%

Estimated time:

Description

This could be problematic, if redmine is hosted at :
mydomain.com/redmine
Then javascript at mydomain.com could access the session
cookie.
Here's a simple patch to make the cookie path follow the
RAILS_RELATIVE_URL_ROOT environment variable.
I'm wondering if it's a rails bug or feature :)


Files

03_session_path.patch (708 Bytes) 03_session_path.patch Jérémy Lal, 2009-10-05 00:02
03_session_path.patch (754 Bytes) 03_session_path.patch Tom Imrei, 2009-12-06 20:01
03_session_path.patch (863 Bytes) 03_session_path.patch corrected nil or empty patch Jérémy Lal, 2010-05-16 17:30

Related issues

Related to Redmine - Defect #5387: Invalid autenticity tokenClosed2010-04-27

Actions
Related to Redmine - Defect #5051: Cookie issue when using Redmine on FirefoxClosed2010-03-11

Actions
Actions #1

Updated by Tom Imrei about 14 years ago

The only problem with this that leaving the 'path=' empty will not work in some clients, e.g. Mylyn plugin for Eclipse. This will be a problem if you use Redmine hosted as the main web like:
mydomain.com/

I've modified the patch to check if the RAILS_RELATIVE_URL_ROOT environment variable is empty. If not it is used.

Jérémy Lal wrote:

This could be problematic, if redmine is hosted at :
mydomain.com/redmine
Then javascript at mydomain.com could access the session
cookie.
Here's a simple patch to make the cookie path follow the
RAILS_RELATIVE_URL_ROOT environment variable.
I'm wondering if it's a rails bug or feature :)

Actions #2

Updated by Felix Schäfer almost 14 years ago

  • Assignee set to Jean-Philippe Lang
  • Priority changed from Normal to High
  • Target version set to 0.9.5

Jean-Philippe: it seems this has affected at least 2 people already, so I'd say it should get included in 0.9.5. Anyway, the cookies should be pathed and http://api.rubyonrails.org/classes/ActionController/Session/CookieStore.html suggests the default is /.

Actions #3

Updated by Jérémy Lal almost 14 years ago

The patches mentionned here are not working :)
Here's some that would.

Actions #4

Updated by Eric Davis over 13 years ago

  • Category deleted (Accounts / authentication)
  • Status changed from New to Resolved
  • Assignee changed from Jean-Philippe Lang to Eric Davis
  • % Done changed from 0 to 100

I've added some documentation about editing the session_path in the generated file. Since each Redmine generates that file from rake, it's not something we can just fix.

Actions #5

Updated by Eric Davis over 13 years ago

  • Category set to Documentation
  • Status changed from Resolved to Closed

Merged to 0.9-stable for release.

Actions

Also available in: Atom PDF