Patch #3968

session cookie path does not respect RAILS_RELATIVE_URL_ROOT

Added by Jérémy Lal about 8 years ago. Updated over 7 years ago.

Status:ClosedStart date:2009-10-04
Priority:HighDue date:
Assignee:Eric Davis% Done:

100%

Category:Documentation
Target version:0.9.5

Description

This could be problematic, if redmine is hosted at :
mydomain.com/redmine
Then javascript at mydomain.com could access the session
cookie.
Here's a simple patch to make the cookie path follow the
RAILS_RELATIVE_URL_ROOT environment variable.
I'm wondering if it's a rails bug or feature :)

03_session_path.patch Magnifier (708 Bytes) Jérémy Lal, 2009-10-05 00:02

03_session_path.patch Magnifier (754 Bytes) Tom Imrei, 2009-12-06 20:01

03_session_path.patch Magnifier - corrected nil or empty patch (863 Bytes) Jérémy Lal, 2010-05-16 17:30


Related issues

Related to Redmine - Defect #5387: Invalid autenticity token Closed 2010-04-27
Related to Redmine - Defect #5051: Cookie issue when using Redmine on Firefox Closed 2010-03-11

Associated revisions

Revision 3785
Added by Eric Davis over 7 years ago

Added documentation about the session_path. #3968

History

#1 Updated by Tom Imrei almost 8 years ago

The only problem with this that leaving the 'path=' empty will not work in some clients, e.g. Mylyn plugin for Eclipse. This will be a problem if you use Redmine hosted as the main web like:
mydomain.com/

I've modified the patch to check if the RAILS_RELATIVE_URL_ROOT environment variable is empty. If not it is used.

Jérémy Lal wrote:

This could be problematic, if redmine is hosted at :
mydomain.com/redmine
Then javascript at mydomain.com could access the session
cookie.
Here's a simple patch to make the cookie path follow the
RAILS_RELATIVE_URL_ROOT environment variable.
I'm wondering if it's a rails bug or feature :)

#2 Updated by Felix Schäfer over 7 years ago

  • Assignee set to Jean-Philippe Lang
  • Priority changed from Normal to High
  • Target version set to 0.9.5

Jean-Philippe: it seems this has affected at least 2 people already, so I'd say it should get included in 0.9.5. Anyway, the cookies should be pathed and http://api.rubyonrails.org/classes/ActionController/Session/CookieStore.html suggests the default is /.

#3 Updated by Jérémy Lal over 7 years ago

The patches mentionned here are not working :)
Here's some that would.

#4 Updated by Eric Davis over 7 years ago

  • Category deleted (Accounts / authentication)
  • Status changed from New to Resolved
  • Assignee changed from Jean-Philippe Lang to Eric Davis
  • % Done changed from 0 to 100

I've added some documentation about editing the session_path in the generated file. Since each Redmine generates that file from rake, it's not something we can just fix.

#5 Updated by Eric Davis over 7 years ago

  • Category set to Documentation
  • Status changed from Resolved to Closed

Merged to 0.9-stable for release.

Also available in: Atom PDF