Patch #3968
closed
session cookie path does not respect RAILS_RELATIVE_URL_ROOT
Added by Jérémy Lal about 15 years ago.
Updated over 14 years ago.
Description
This could be problematic, if redmine is hosted at :
mydomain.com/redmine
Then javascript at mydomain.com could access the session
cookie.
Here's a simple patch to make the cookie path follow the
RAILS_RELATIVE_URL_ROOT environment variable.
I'm wondering if it's a rails bug or feature :)
Files
The only problem with this that leaving the 'path=' empty will not work in some clients, e.g. Mylyn plugin for Eclipse. This will be a problem if you use Redmine hosted as the main web like:
mydomain.com/
I've modified the patch to check if the RAILS_RELATIVE_URL_ROOT environment variable is empty. If not it is used.
Jérémy Lal wrote:
This could be problematic, if redmine is hosted at :
mydomain.com/redmine
Then javascript at mydomain.com could access the session
cookie.
Here's a simple patch to make the cookie path follow the
RAILS_RELATIVE_URL_ROOT environment variable.
I'm wondering if it's a rails bug or feature :)
- Assignee set to Jean-Philippe Lang
- Priority changed from Normal to High
- Target version set to 0.9.5
The patches mentionned here are not working :)
Here's some that would.
- Category deleted (
Accounts / authentication)
- Status changed from New to Resolved
- Assignee changed from Jean-Philippe Lang to Eric Davis
- % Done changed from 0 to 100
I've added some documentation about editing the session_path in the generated file. Since each Redmine generates that file from rake, it's not something we can just fix.
- Category set to Documentation
- Status changed from Resolved to Closed
Merged to 0.9-stable for release.
Also available in: Atom
PDF
Updated by 
Updated by 
Updated by 
Updated by