-
-
Notifications
You must be signed in to change notification settings - Fork 5.5k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
fix: Fix to delete cookie when AppSubURL is non-empty #30375
Merged
Merged
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
GiteaBot
added
the
lgtm/need 2
This PR needs two approvals by maintainers to be considered for merging.
label
Apr 9, 2024
pull-request-size
bot
added
the
size/XS
Denotes a PR that changes 0-9 lines, ignoring generated files.
label
Apr 9, 2024
I made a mistake. I will recreate the PR or re-open once fixes have been made. |
pull-request-size
bot
added
size/S
Denotes a PR that changes 10-29 lines, ignoring generated files.
and removed
size/XS
Denotes a PR that changes 0-9 lines, ignoring generated files.
labels
Apr 9, 2024
jtran
changed the title
fix: Fix to delete cookie from root path when AppSubURL is non-empty
fix: Fix to delete cookie when AppSubURL is non-empty
Apr 10, 2024
wxiaoguang
previously approved these changes
Apr 10, 2024
GiteaBot
added
lgtm/need 1
This PR needs approval from one additional maintainer to be merged.
and removed
lgtm/need 2
This PR needs two approvals by maintainers to be considered for merging.
labels
Apr 10, 2024
wxiaoguang
reviewed
Apr 10, 2024
wxiaoguang
reviewed
Apr 10, 2024
wxiaoguang
reviewed
Apr 10, 2024
wxiaoguang
reviewed
Apr 10, 2024
Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
wxiaoguang
added
type/bug
backport/v1.21
This PR should be backported to Gitea 1.21
backport/v1.22
This PR should be backported to Gitea 1.22
labels
Apr 10, 2024
Reverting the change to delete cookies with no path fixed the integration test failures. So maybe we don't want that change. I'm a little unclear about the reasoning behind this. I think it only matters when AppSubURL is empty, and we never observed a problem with on servers where it's empty. So I think this is fine. |
silverwind
approved these changes
Apr 13, 2024
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this pull request
Apr 14, 2024
Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Kyle D <kdumontnu@gmail.com>
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this pull request
Apr 14, 2024
Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. --------- Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Kyle D <kdumontnu@gmail.com>
zjjhot
added a commit
to zjjhot/gitea
that referenced
this pull request
Apr 14, 2024
* giteaofficial/main: Fix JS error when opening to expanded code comment (go-gitea#30463) fix: Fix to delete cookie when AppSubURL is non-empty (go-gitea#30375) Add `interface{}` to `any` replacement to `make fmt`, exclude `*.pb.go` (go-gitea#30461) Fix network error when open/close organization/individual projects and redirect to project page (go-gitea#30387) Avoid losing token when updating mirror settings (go-gitea#30429) Fix label rendering (go-gitea#30456) Add comment for ContainsRedirectURI about the exact match (go-gitea#30457) Update JS and PY deps, lock eslint and related plugins (go-gitea#30452) Refactor cache and disable go-chi cache (go-gitea#30417) Fix admin notice view-detail (go-gitea#30450) Fix mirror error when mirror repo is empty (go-gitea#30432) Add `/public/assets/img/webpack` to ignore files again (go-gitea#30451) Lock a few tool dependencies to major versions (go-gitea#30439) Fix commit status cache which missed target_url (go-gitea#30426) Remove jQuery from the commit graph (except Fomantic) (go-gitea#30395) Fix rename branch 500 when the target branch is deleted but exist in database (go-gitea#30430) Limit the max line length when parsing git grep output (go-gitea#30418)
silverwind
pushed a commit
that referenced
this pull request
Apr 14, 2024
Backport #30375 by @jtran Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. Co-authored-by: Jonathan Tran <jonnytran@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Kyle D <kdumontnu@gmail.com>
silverwind
pushed a commit
that referenced
this pull request
Apr 14, 2024
Backport #30375 by @jtran Cookies may exist on "/subpath" and "/subpath/" for some legacy reasons (eg: changed CookiePath behavior in code). The legacy cookie should be removed correctly. Co-authored-by: Jonathan Tran <jonnytran@gmail.com> Co-authored-by: wxiaoguang <wxiaoguang@gmail.com> Co-authored-by: Kyle D <kdumontnu@gmail.com>
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Apr 14, 2024
* origin/main: (35 commits) Remove fomantic button module (go-gitea#30475) Improve "must-change-password" logic and document (go-gitea#30472) Fix commitstatus summary (go-gitea#30431) Remove fomantic menu module (go-gitea#30325) Use `flex-container` for dashboard layout (go-gitea#30214) Rewrite and restyle reaction selector and enable no-sizzle eslint rule (go-gitea#30453) Pulse page improvements (go-gitea#30149) Fix JS error when opening to expanded code comment (go-gitea#30463) fix: Fix to delete cookie when AppSubURL is non-empty (go-gitea#30375) Add `interface{}` to `any` replacement to `make fmt`, exclude `*.pb.go` (go-gitea#30461) Fix network error when open/close organization/individual projects and redirect to project page (go-gitea#30387) Avoid losing token when updating mirror settings (go-gitea#30429) Fix label rendering (go-gitea#30456) Add comment for ContainsRedirectURI about the exact match (go-gitea#30457) Update JS and PY deps, lock eslint and related plugins (go-gitea#30452) Refactor cache and disable go-chi cache (go-gitea#30417) Fix admin notice view-detail (go-gitea#30450) Fix mirror error when mirror repo is empty (go-gitea#30432) Add `/public/assets/img/webpack` to ignore files again (go-gitea#30451) Lock a few tool dependencies to major versions (go-gitea#30439) ...
silverwind
added a commit
to silverwind/gitea
that referenced
this pull request
Apr 14, 2024
* origin/main: Improve flex ellipsis (go-gitea#30479) Remove fomantic button module (go-gitea#30475) Improve "must-change-password" logic and document (go-gitea#30472) Fix commitstatus summary (go-gitea#30431) Remove fomantic menu module (go-gitea#30325) Use `flex-container` for dashboard layout (go-gitea#30214) Rewrite and restyle reaction selector and enable no-sizzle eslint rule (go-gitea#30453) Pulse page improvements (go-gitea#30149) Fix JS error when opening to expanded code comment (go-gitea#30463) fix: Fix to delete cookie when AppSubURL is non-empty (go-gitea#30375) Add `interface{}` to `any` replacement to `make fmt`, exclude `*.pb.go` (go-gitea#30461) Fix network error when open/close organization/individual projects and redirect to project page (go-gitea#30387) Avoid losing token when updating mirror settings (go-gitea#30429)
wolfogre
added a commit
that referenced
this pull request
Apr 19, 2024
Related to #30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions.
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this pull request
Apr 19, 2024
…ea#30584) Related to go-gitea#30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions.
GiteaBot
pushed a commit
to GiteaBot/gitea
that referenced
this pull request
Apr 19, 2024
…ea#30584) Related to go-gitea#30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions.
silverwind
pushed a commit
that referenced
this pull request
Apr 19, 2024
#30588) Backport #30584 by @wolfogre Related to #30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions. Co-authored-by: Jason Song <i@wolfogre.com>
silverwind
pushed a commit
that referenced
this pull request
Apr 19, 2024
#30589) Backport #30584 by @wolfogre Related to #30375. It doesn't make sense to import `modules/web/middleware` and `modules/setting` in `modules/web/session` since the last one is more low-level. And it looks like a workaround to call `DeleteLegacySiteCookie` in `RegenerateSession`, so maybe we could reverse the importing by registering hook functions. Co-authored-by: Jason Song <i@wolfogre.com>
wxiaoguang
added
the
skip-changelog
This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features.
label
Apr 27, 2024
Sign up for free
to subscribe to this conversation on GitHub.
Already have an account?
Sign in.
Labels
backport/done
All backports for this PR have been created
backport/v1.21
This PR should be backported to Gitea 1.21
backport/v1.22
This PR should be backported to Gitea 1.22
lgtm/done
This PR has enough approvals to get merged. There are no important open reservations anymore.
modifies/go
Pull requests that update Go code
size/M
Denotes a PR that changes 30-99 lines, ignoring generated files.
skip-changelog
This PR is irrelevant for the (next) changelog, for example bug fixes for unreleased features.
type/bug
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Problem
We were observing a redirect loop, either when logging out or when trying to view a private repo with an expired session. This only seems to happen when
AppSubURL
is non-empty.Using
release/v1.21
, several commits after the 1.21.10 release, on a server recently upgraded from 1.20.Steps to reproduce:
ROOT_URL
is configured tohttps://mydomain.com/sub_path/
)/sub_path
to/sub_path/
The logout only clears cookies in the
/sub_path
, not/sub_path/
. Due to PR #29599, the login page now sees the gitea cookie that can't be deleted, auto logs in, and then redirects back to the home page.Existing code already tries to delete the cookie at
/sub_path
. https://github.com/go-gitea/gitea/pull/24107/files#diff-7c540b84d46e33f1e7b33c7a4cc4daed15b765c11da81070d2313b42251aa48eR48-R53. But it doesn't delete cookies at/sub_path/
. #29552 changed the default value of the path, but it didn't update code that clears it.This is problematic because the longer path is more specific as far as the browser is concerned, and the browser prefers the old, outdated cookie with the trailing slash over newly set cookies. A similar problem may occur when no path is set on the cookie since browsers use the current page's path to determine the path of the cookie. The new, correct cookie path at the root should be
/
, but cookies without a path set may override it.The workaround was to clear browser cookies, which is not desirable.
Solution
This PR changes it so that whenever a cookie is written, we also clear legacy cookies that could override the cookie currently being written. In this way, cookies are lazily upgraded. In the interim, legacy cookies are still sent from the browser to the server and used. This is fine.
Cookies are written in
modules/web/middleware/cookie.go
, but also deep inside the chi dependency. Rather than modifying the latter, we clear legacy cookies whenever regenerating a session. This is required to handle the case of an expired session that would otherwise cause a redirect loop.Open to suggestions on a better approach.