fix: Fix to delete cookie when AppSubURL is non-empty #30375
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GiteaBot
added
the
lgtm/need 2
pull-request-size
bot
added
the
size/XS
|
I made a mistake. I will recreate the PR or re-open once fixes have been made. |
pull-request-size
bot
added
size/S
jtran
changed the title
wxiaoguang
previously approved these changes
Apr 10, 2024
GiteaBot
added
lgtm/need 1
wxiaoguang
reviewed
Apr 10, 2024
wxiaoguang
reviewed
Apr 10, 2024
wxiaoguang
reviewed
Apr 10, 2024
wxiaoguang
reviewed
Apr 10, 2024
Co-authored-by: wxiaoguang <[email protected]>
wxiaoguang
added
type/bug
backport/v1.21
|
Reverting the change to delete cookies with no path fixed the integration test failures. So maybe we don't want that change. I'm a little unclear about the reasoning behind this. I think it only matters when AppSubURL is empty, and we never observed a problem with on servers where it's empty. So I think this is fine. |
silverwind
approved these changes
Apr 13, 2024
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this pull request
Apr 14, 2024
Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. --------- Co-authored-by: wxiaoguang <[email protected]> Co-authored-by: Kyle D <[email protected]>
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this pull request
Apr 14, 2024
Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. --------- Co-authored-by: wxiaoguang <[email protected]> Co-authored-by: Kyle D <[email protected]>
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Apr 14, 2024
* giteaofficial/main: Fix JS error when opening to expanded code comment (go-gitea#30463) fix: Fix to delete cookie when AppSubURL is non-empty (go-gitea#30375) Add `interface{}` to `any` replacement to `make fmt`, exclude `*.pb.go` (go-gitea#30461) Fix network error when open/close organization/individual projects and redirect to project page (go-gitea#30387) Avoid losing token when updating mirror settings (go-gitea#30429) Fix label rendering (go-gitea#30456) Add comment for ContainsRedirectURI about the exact match (go-gitea#30457) Update JS and PY deps, lock eslint and related plugins (go-gitea#30452) Refactor cache and disable go-chi cache (go-gitea#30417) Fix admin notice view-detail (go-gitea#30450) Fix mirror error when mirror repo is empty (go-gitea#30432) Add `/public/assets/img/webpack` to ignore files again (go-gitea#30451) Lock a few tool dependencies to major versions (go-gitea#30439) Fix commit status cache which missed target_url (go-gitea#30426) Remove jQuery from the commit graph (except Fomantic) (go-gitea#30395) Fix rename branch 500 when the target branch is deleted but exist in database (go-gitea#30430) Limit the max line length when parsing git grep output (go-gitea#30418)
silverwind
pushed a commit
that referenced
this pull request
Apr 14, 2024
Backport #30375 by @jtran Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. Co-authored-by: Jonathan Tran <[email protected]> Co-authored-by: wxiaoguang <[email protected]> Co-authored-by: Kyle D <[email protected]>
silverwind
pushed a commit
that referenced
this pull request
Apr 14, 2024
Backport #30375 by @jtran Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. Co-authored-by: Jonathan Tran <[email protected]> Co-authored-by: wxiaoguang <[email protected]> Co-authored-by: Kyle D <[email protected]>
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Apr 14, 2024
* origin/main: (35 commits) Remove fomantic button module (go-gitea#30475) Improve "must-change-password" logic and document (go-gitea#30472) Fix commitstatus summary (go-gitea#30431) Remove fomantic menu module (go-gitea#30325) Use `flex-container` for dashboard layout (go-gitea#30214) Rewrite and restyle reaction selector and enable no-sizzle eslint rule (go-gitea#30453) Pulse page improvements (go-gitea#30149) Fix JS error when opening to expanded code comment (go-gitea#30463) fix: Fix to delete cookie when AppSubURL is non-empty (go-gitea#30375) Add `interface{}` to `any` replacement to `make fmt`, exclude `*.pb.go` (go-gitea#30461) Fix network error when open/close organization/individual projects and redirect to project page (go-gitea#30387) Avoid losing token when updating mirror settings (go-gitea#30429) Fix label rendering (go-gitea#30456) Add comment for ContainsRedirectURI about the exact match (go-gitea#30457) Update JS and PY deps, lock eslint and related plugins (go-gitea#30452) Refactor cache and disable go-chi cache (go-gitea#30417) Fix admin notice view-detail (go-gitea#30450) Fix mirror error when mirror repo is empty (go-gitea#30432) Add `/public/assets/img/webpack` to ignore files again (go-gitea#30451) Lock a few tool dependencies to major versions (go-gitea#30439) ...
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Apr 14, 2024
* origin/main: Improve flex ellipsis (go-gitea#30479) Remove fomantic button module (go-gitea#30475) Improve "must-change-password" logic and document (go-gitea#30472) Fix commitstatus summary (go-gitea#30431) Remove fomantic menu module (go-gitea#30325) Use `flex-container` for dashboard layout (go-gitea#30214) Rewrite and restyle reaction selector and enable no-sizzle eslint rule (go-gitea#30453) Pulse page improvements (go-gitea#30149) Fix JS error when opening to expanded code comment (go-gitea#30463) fix: Fix to delete cookie when AppSubURL is non-empty (go-gitea#30375) Add `interface{}` to `any` replacement to `make fmt`, exclude `*.pb.go` (go-gitea#30461) Fix network error when open/close organization/individual projects and redirect to project page (go-gitea#30387) Avoid losing token when updating mirror settings (go-gitea#30429)
wolfogre
added a commit
that referenced
this pull request
Apr 19, 2024
Related to #30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions.
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this pull request
Apr 19, 2024
…ea#30584) Related to go-gitea#30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions.
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this pull request
Apr 19, 2024
…ea#30584) Related to go-gitea#30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions.
silverwind
pushed a commit
that referenced
this pull request
Apr 19, 2024
#30588) Backport #30584 by @wolfogre Related to #30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions. Co-authored-by: Jason Song <[email protected]>
silverwind
pushed a commit
that referenced
this pull request
Apr 19, 2024
#30589) Backport #30584 by @wolfogre Related to #30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions. Co-authored-by: Jason Song <[email protected]>
wxiaoguang
added
the
skip-changelog
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
We were observing a redirect loop, either when logging out or when trying to view a private repo with an expired session. This only seems to happen when
AppSubURLis non-empty.Using
release/v1.21, several commits after the 1.21.10 release, on a server recently upgraded from 1.20.Steps to reproduce:
ROOT_URLis configured tohttps://mydomain.com/sub_path/)/sub_pathto/sub_path/The logout only clears cookies in the
/sub_path, not/sub_path/. Due to PR #29599, the login page now sees the gitea cookie that can't be deleted, auto logs in, and then redirects back to the home page.Existing code already tries to delete the cookie at
/sub_path. https://github.com/go-gitea/gitea/pull/24107/files#diff-7c540b84d46e33f1e7b33c7a4cc4daed15b765c11da81070d2313b42251aa48eR48-R53. But it doesn't delete cookies at/sub_path/. #29552 changed the default value of the path, but it didn't update code that clears it.This is problematic because the longer path is more specific as far as the browser is concerned, and the browser prefers the old, outdated cookie with the trailing slash over newly set cookies. A similar problem may occur when no path is set on the cookie since browsers use the current page's path to determine the path of the cookie. The new, correct cookie path at the root should be
/, but cookies without a path set may override it.The workaround was to clear browser cookies, which is not desirable.
Solution
This PR changes it so that whenever a cookie is written, we also clear legacy cookies that could override the cookie currently being written. In this way, cookies are lazily upgraded. In the interim, legacy cookies are still sent from the browser to the server and used. This is fine.
Cookies are written in
modules/web/middleware/cookie.go, but also deep inside the chi dependency. Rather than modifying the latter, we clear legacy cookies whenever regenerating a session. This is required to handle the case of an expired session that would otherwise cause a redirect loop.Open to suggestions on a better approach.