|
|
@@ -45,10 +45,32 @@ func SetSiteCookie(resp http.ResponseWriter, name, value string, maxAge int) { |
|
|
|
SameSite: setting.SessionConfig.SameSite, |
|
|
|
} |
|
|
|
resp.Header().Add("Set-Cookie", cookie.String()) |
|
|
|
if maxAge < 0 { |
|
|
|
// There was a bug in "setting.SessionConfig.CookiePath" code, the old default value of it was empty "". |
|
|
|
// So we have to delete the cookie on path="" again, because some old code leaves cookies on path="". |
|
|
|
cookie.Path = strings.TrimSuffix(setting.SessionConfig.CookiePath, "/") |
|
|
|
resp.Header().Add("Set-Cookie", cookie.String()) |
|
|
|
// Previous versions would use a cookie path with a trailing /. |
|
|
|
// These are more specific than cookies without a trailing /, so |
|
|
|
// we need to delete these if they exist. |
|
|
|
DeleteLegacySiteCookie(resp, name) |
|
|
|
} |
|
|
|
|
|
|
|
// DeleteLegacySiteCookie deletes the cookie with the given name at the cookie |
|
|
|
// path with a trailing /, which would unintentionally override the cookie. |
|
|
|
func DeleteLegacySiteCookie(resp http.ResponseWriter, name string) { |
|
|
|
if setting.SessionConfig.CookiePath == "" || strings.HasSuffix(setting.SessionConfig.CookiePath, "/") { |
|
|
|
// If the cookie path ends with /, no legacy cookies will take |
|
|
|
// precedence, so do nothing. The exception is that cookies with no |
|
|
|
// path could override other cookies, but it's complicated and we don't |
|
|
|
// currently handle that. |
|
|
|
return |
|
|
|
} |
|
|
|
|
|
|
|
cookie := &http.Cookie{ |
|
|
|
Name: name, |
|
|
|
Value: "", |
|
|
|
MaxAge: -1, |
|
|
|
Path: setting.SessionConfig.CookiePath + "/", |
|
|
|
Domain: setting.SessionConfig.Domain, |
|
|
|
Secure: setting.SessionConfig.Secure, |
|
|
|
HttpOnly: true, |
|
|
|
SameSite: setting.SessionConfig.SameSite, |
|
|
|
} |
|
|
|
resp.Header().Add("Set-Cookie", cookie.String()) |
|
|
|
} |