Merge pull request #51657 from SBizienFilippiPEReN/cookie-domain

AndyScherzinger · web-flow · commit 6f2fbef490d3 · 2025-06-17T07:00:40.000+02:00
cookie_domain config option for setting cookie on a wider domain
diff --git a/config/config.sample.php b/config/config.sample.php
@@ -87,6 +87,14 @@
 	'[2001:db8::1]'
 ],
 
+/**
+ * The validity domain for cookies, for example '' (cookies will be sent only
+ * the domain that defined it, e.g. 'demo.example.org'), 'demo.example.org'
+ * (cookies will be valid for the domain and all subdomains), ...
+ *
+ * Defaults to '' (safe option)
+ */
+'cookie_domain' => '',
 
 /**
  * Where user files are stored. The SQLite database is also stored here, when
diff --git a/lib/base.php b/lib/base.php
@@ -393,6 +393,12 @@ public static function initSession(): void {
 		$cookie_path = OC::$WEBROOT ? : '/';
 		ini_set('session.cookie_path', $cookie_path);
 
+		// set the cookie domain to the Nextcloud domain
+		$cookie_domain = self::$config->getValue('cookie_domain', '');
+		if ($cookie_domain) {
+			ini_set('session.cookie_domain', $cookie_domain);
+		}
+
 		// Let the session name be changed in the initSession Hook
 		$sessionName = OC_Util::getInstanceId();
 
diff --git a/lib/private/Session/CryptoWrapper.php b/lib/private/Session/CryptoWrapper.php
@@ -59,7 +59,7 @@ public function __construct(
 					[
 						'expires' => 0,
 						'path' => $webRoot,
-						'domain' => '',
+						'domain' => \OCP\Server::get(\OCP\IConfig::class)->getSystemValueString('cookie_domain'),
 						'secure' => $secureCookie,
 						'httponly' => true,
 						'samesite' => 'Lax',
diff --git a/lib/private/User/Session.php b/lib/private/User/Session.php
@@ -967,14 +967,15 @@ public function setMagicInCookie($username, $token) {
 		if ($webRoot === '') {
 			$webRoot = '/';
 		}
+		$domain = $this->config->getSystemValueString('cookie_domain');
 
 		$maxAge = $this->config->getSystemValueInt('remember_login_cookie_lifetime', 60 * 60 * 24 * 15);
 		\OC\Http\CookieHelper::setCookie(
 			'nc_username',
 			$username,
 			$maxAge,
 			$webRoot,
-			'',
+			$domain,
 			$secureCookie,
 			true,
 			\OC\Http\CookieHelper::SAMESITE_LAX
@@ -984,7 +985,7 @@ public function setMagicInCookie($username, $token) {
 			$token,
 			$maxAge,
 			$webRoot,
-			'',
+			$domain,
 			$secureCookie,
 			true,
 			\OC\Http\CookieHelper::SAMESITE_LAX
@@ -995,7 +996,7 @@ public function setMagicInCookie($username, $token) {
 				$this->session->getId(),
 				$maxAge,
 				$webRoot,
-				'',
+				$domain,
 				$secureCookie,
 				true,
 				\OC\Http\CookieHelper::SAMESITE_LAX
@@ -1011,18 +1012,19 @@ public function setMagicInCookie($username, $token) {
 	public function unsetMagicInCookie() {
 		//TODO: DI for cookies and IRequest
 		$secureCookie = OC::$server->getRequest()->getServerProtocol() === 'https';
+		$domain = $this->config->getSystemValueString('cookie_domain');
 
 		unset($_COOKIE['nc_username']); //TODO: DI
 		unset($_COOKIE['nc_token']);
 		unset($_COOKIE['nc_session_id']);
-		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
-		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, '', $secureCookie, true);
+		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, $domain, $secureCookie, true);
+		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, $domain, $secureCookie, true);
+		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT, $domain, $secureCookie, true);
 		// old cookies might be stored under /webroot/ instead of /webroot
 		// and Firefox doesn't like it!
-		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
-		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', '', $secureCookie, true);
+		setcookie('nc_username', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', $domain, $secureCookie, true);
+		setcookie('nc_token', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', $domain, $secureCookie, true);
+		setcookie('nc_session_id', '', $this->timeFactory->getTime() - 3600, OC::$WEBROOT . '/', $domain, $secureCookie, true);
 	}
 
 	/**

Original file line number	Diff line number	Diff line change
`@@ -59,7 +59,7 @@ public function __construct(`
`59`	`59`	`[`
`60`	`60`	`'expires' => 0,`
`61`	`61`	`'path' => $webRoot,`
`62`		`- 'domain' => '',`
	`62`	`+ 'domain' => \OCP\Server::get(\OCP\IConfig::class)->getSystemValueString('cookie_domain'),`
`63`	`63`	`'secure' => $secureCookie,`
`64`	`64`	`'httponly' => true,`
`65`	`65`	`'samesite' => 'Lax',`