Auth: Remove trailing / in cookies' path (#22265) (#22265)

According to the stackoverflow answer below, it is recommended to not include a trailing / in cookies' path. By removing the trailing / for our cookies path value, people's browsers visiting grafana will pass the cookie not only to /grafana/ sub paths but also to /grafana sub paths. This commit avoids the situation where a user would visit http://localhost/grafana, get redirected to http://localhost/grafana/login, and following login get redirected back to http://localhost/grafana, but since the grafana_session cookie isn't passed along get redirected back once more to http://localhost/grafana/login. ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228 ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
2025-02-25 18:55:37 -06:00 · 2020-04-06 16:56:19 +02:00
parent 2299e6bfef
commit d94796a022
4 changed files with 38 additions and 11 deletions
--- a/pkg/api/login.go
+++ b/pkg/api/login.go
@@ -46,8 +46,12 @@ func (hs *HTTPServer) validateRedirectTo(redirectTo string) error {
 }

 func (hs *HTTPServer) cookieOptionsFromCfg() middleware.CookieOptions {
+	path := "/"
+	if len(hs.Cfg.AppSubUrl) > 0 {
+		path = hs.Cfg.AppSubUrl
+	}
 	return middleware.CookieOptions{
-		Path:             hs.Cfg.AppSubUrl + "/",
+		Path:             path,
 		Secure:           hs.Cfg.CookieSecure,
 		SameSiteDisabled: hs.Cfg.CookieSameSiteDisabled,
 		SameSiteMode:     hs.Cfg.CookieSameSiteMode,