@ -9,6 +9,7 @@ import (
"net/url"
"net/url"
"strings"
"strings"
"code.gitea.io/gitea/modules/session"
"code.gitea.io/gitea/modules/setting"
"code.gitea.io/gitea/modules/setting"
)
)
@ -48,12 +49,12 @@ func SetSiteCookie(resp http.ResponseWriter, name, value string, maxAge int) {
// Previous versions would use a cookie path with a trailing /.
// Previous versions would use a cookie path with a trailing /.
// These are more specific than cookies without a trailing /, so
// These are more specific than cookies without a trailing /, so
// we need to delete these if they exist.
// we need to delete these if they exist.
D eleteLegacySiteCookie( resp , name )
d eleteLegacySiteCookie( resp , name )
}
}
// D eleteLegacySiteCookie deletes the cookie with the given name at the cookie
// d eleteLegacySiteCookie deletes the cookie with the given name at the cookie
// path with a trailing /, which would unintentionally override the cookie.
// path with a trailing /, which would unintentionally override the cookie.
func D eleteLegacySiteCookie( resp http . ResponseWriter , name string ) {
func d eleteLegacySiteCookie( resp http . ResponseWriter , name string ) {
if setting . SessionConfig . CookiePath == "" || strings . HasSuffix ( setting . SessionConfig . CookiePath , "/" ) {
if setting . SessionConfig . CookiePath == "" || strings . HasSuffix ( setting . SessionConfig . CookiePath , "/" ) {
// If the cookie path ends with /, no legacy cookies will take
// If the cookie path ends with /, no legacy cookies will take
// precedence, so do nothing. The exception is that cookies with no
// precedence, so do nothing. The exception is that cookies with no
@ -74,3 +75,11 @@ func DeleteLegacySiteCookie(resp http.ResponseWriter, name string) {
}
}
resp . Header ( ) . Add ( "Set-Cookie" , cookie . String ( ) )
resp . Header ( ) . Add ( "Set-Cookie" , cookie . String ( ) )
}
}
func init ( ) {
session . BeforeRegenerateSession = append ( session . BeforeRegenerateSession , func ( resp http . ResponseWriter , _ * http . Request ) {
// Ensure that a cookie with a trailing slash does not take precedence over
// the cookie written by the middleware.
deleteLegacySiteCookie ( resp , setting . SessionConfig . CookieName )
} )
}