Delete legacy cookie before setting new cookie (#31306) (#31317)

Backport #31306 by wxiaoguang

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>

diff --git a/modules/web/middleware/cookie.go b/modules/web/middleware/cookie.go
index ec6b06f9933b29ebc429c7a3d87f2202c9902f69..f2d25f5b1cda702e755fc91f6f09212d2206efac 100644 (file)
--- a/modules/web/middleware/cookie.go
+++ b/modules/web/middleware/cookie.go
@@ -35,6 +35,10 @@ func GetSiteCookie(req *http.Request, name string) string {
 
 // SetSiteCookie returns given cookie value from request header.
 func SetSiteCookie(resp http.ResponseWriter, name, value string, maxAge int) {
+       // Previous versions would use a cookie path with a trailing /.
+       // These are more specific than cookies without a trailing /, so
+       // we need to delete these if they exist.
+       deleteLegacySiteCookie(resp, name)
        cookie := &http.Cookie{
                Name:     name,
                Value:    url.QueryEscape(value),
@@ -46,10 +50,6 @@ func SetSiteCookie(resp http.ResponseWriter, name, value string, maxAge int) {
                SameSite: setting.SessionConfig.SameSite,
        }
        resp.Header().Add("Set-Cookie", cookie.String())
-       // Previous versions would use a cookie path with a trailing /.
-       // These are more specific than cookies without a trailing /, so
-       // we need to delete these if they exist.
-       deleteLegacySiteCookie(resp, name)
 }
 
 // deleteLegacySiteCookie deletes the cookie with the given name at the cookie