Patch #3968
session cookie path does not respect RAILS_RELATIVE_URL_ROOT
Status: | Closed | Start date: | 2009-10-04 | |
---|---|---|---|---|
Priority: | High | Due date: | ||
Assignee: | % Done: | 100% | ||
Category: | Documentation | |||
Target version: | 0.9.5 |
Description
This could be problematic, if redmine is hosted at :
mydomain.com/redmine
Then javascript at mydomain.com could access the session
cookie.
Here's a simple patch to make the cookie path follow the
RAILS_RELATIVE_URL_ROOT environment variable.
I'm wondering if it's a rails bug or feature :)
Related issues
Associated revisions
Added documentation about the session_path. #3968
History
#1
Updated by Tom Imrei over 12 years ago
- File 03_session_path.patch
added
The only problem with this that leaving the 'path=' empty will not work in some clients, e.g. Mylyn plugin for Eclipse. This will be a problem if you use Redmine hosted as the main web like:
mydomain.com/
I've modified the patch to check if the RAILS_RELATIVE_URL_ROOT environment variable is empty. If not it is used.
Jérémy Lal wrote:
This could be problematic, if redmine is hosted at :
mydomain.com/redmine
Then javascript at mydomain.com could access the session
cookie.
Here's a simple patch to make the cookie path follow the
RAILS_RELATIVE_URL_ROOT environment variable.
I'm wondering if it's a rails bug or feature :)
#2
Updated by Felix Schäfer about 12 years ago
- Assignee set to Jean-Philippe Lang
- Priority changed from Normal to High
- Target version set to 0.9.5
Jean-Philippe: it seems this has affected at least 2 people already, so I'd say it should get included in 0.9.5. Anyway, the cookies should be pathed and http://api.rubyonrails.org/classes/ActionController/Session/CookieStore.html suggests the default is /
.
#3
Updated by Jérémy Lal about 12 years ago
- File 03_session_path.patch
added
The patches mentionned here are not working :)
Here's some that would.
#4
Updated by Eric Davis almost 12 years ago
- Category deleted (
Accounts / authentication) - Status changed from New to Resolved
- Assignee changed from Jean-Philippe Lang to Eric Davis
- % Done changed from 0 to 100
I've added some documentation about editing the session_path in the generated file. Since each Redmine generates that file from rake, it's not something we can just fix.
#5
Updated by Eric Davis almost 12 years ago
- Category set to Documentation
- Status changed from Resolved to Closed
Merged to 0.9-stable for release.