Use config.relative_url_root as the default path for session and autologin cookies
|Assignee:||Jean-Philippe Lang||% Done:|
|Category:||Accounts / authentication|
Per default, Rails uses "/" as path in session cookies. When mounting
Redmine on a relative URL root, say '/redmine', the path in the cookie
should also say "/redmine". Otherwise a browsers sendsi the cookie to
all applications running on the same host. This is problematic when
running more than one Redmine instance on one server.
Fix it by setting the cookie path to config.relative_url_root when set,
"/" otherwise. Rails automatically sets this config from the environment
Related to Patch #3968
#2 Updated by Daniel Ritz about 3 years ago
Thanks for pointing out the autologin cookie. Didn't notice it since I had it disabled.
I think it would make sense to use RAILS_RELATIVE_URL_ROOT for the autologin cookie too, but only as default value instead of "/". When autologin_cookie_path is set, that one should be used instead. Does that sound reasonable?
#3 Updated by Daniel Ritz about 3 years ago
v2 of the patch with fix for autologin cookie path.