FIX: add path to cookies so sessions on the same domain but different subfolders don't log each other out

2025-06-05 14:07:30 +08:00 · 2017-06-20 13:30:36 -04:00
parent 482365b943
commit 1716747810
2 changed files with 14 additions and 1 deletions
--- a/lib/auth/default_current_user_provider.rb
+++ b/lib/auth/default_current_user_provider.rb
@ -159,7 +159,8 @@ class Auth::DefaultCurrentUserProvider
      value: unhashed_auth_token,
      httponly: true,
      expires: SiteSetting.maximum_session_age.hours.from_now,
-      secure: SiteSetting.force_https
+      secure: SiteSetting.force_https,
+      path: GlobalSetting.relative_url_root.nil? ? '/' : GlobalSetting.relative_url_root
    }

    if SiteSetting.same_site_cookies != "Disabled"
--- a/spec/components/auth/default_current_user_provider_spec.rb
+++ b/spec/components/auth/default_current_user_provider_spec.rb
@ -245,6 +245,18 @@ describe Auth::DefaultCurrentUserProvider do
    expect(cookies["_t"].key?(:same_site)).to eq(false)
  end

+  it "cookies includes path" do
+    user = Fabricate(:user)
+    cookies = {}
+    provider('/').log_on_user(user, {}, cookies)
+    expect(cookies["_t"][:path]).to eq("/")
+
+    GlobalSetting.stubs(:relative_url_root).returns('/forum')
+    cookies = {}
+    provider('/').log_on_user(user, {}, cookies)
+    expect(cookies["_t"][:path]).to eq("/forum")
+  end
+
  it "correctly expires session" do
    SiteSetting.maximum_session_age = 2
    user = Fabricate(:user)