IntenseWebs/grafana
3
0
Fork 0
mirror of https://github.com/grafana/grafana.git synced 2025-02-25 18:55:37 -06:00
Code Issues Packages Projects Releases Wiki Activity

Auth: Remove trailing / in cookies' path (#22265) (#22265)

Browse Source 
According to the stackoverflow answer below, it is recommended to not
include a trailing / in cookies' path. By removing the trailing / for
our cookies path value, people's browsers visiting grafana will pass the
cookie not only to /grafana/ sub paths but also to /grafana sub paths.

This commit avoids the situation where a user would visit
http://localhost/grafana, get redirected to
http://localhost/grafana/login, and following login get redirected back
to http://localhost/grafana, but since the grafana_session cookie isn't
passed along get redirected back once more to
http://localhost/grafana/login.

ref: https://stackoverflow.com/questions/36131023/setting-a-slash-on-cookie-path/53784228#53784228
ref: https://tools.ietf.org/html/rfc6265#section-5.1.4
This commit is contained in:
Erik Sundell
2020-04-06 16:56:19 +02:00
committed by GitHub
parent 2299e6bfef
commit d94796a022
4 changed files with 38 additions and 11 deletions
Download Patch File Download Diff File Expand all files Collapse all files

12
pkg/middleware/middleware_test.go
View File

@@ -264,10 +264,14 @@ func TestMiddlewareContext(t *testing.T) {
}
for _, sameSitePolicy := range sameSitePolicies {
setting.CookieSameSiteMode = sameSitePolicy
expectedCookiePath := "/"
if len(setting.AppSubUrl) > 0 {
expectedCookiePath = setting.AppSubUrl
}
expectedCookie := &http.Cookie{
Name: setting.LoginCookieName,
Value: "rotated",
Path: setting.AppSubUrl + "/",
Path: expectedCookiePath,
HttpOnly: true,
MaxAge: int(maxAge),
Secure: setting.CookieSecure,
@@ -291,10 +295,14 @@ func TestMiddlewareContext(t *testing.T) {
Convey("Should not set cookie with SameSite attribute when setting.CookieSameSiteDisabled is true", func() {
setting.CookieSameSiteDisabled = true
setting.CookieSameSiteMode = http.SameSiteLaxMode
expectedCookiePath := "/"
if len(setting.AppSubUrl) > 0 {
expectedCookiePath = setting.AppSubUrl
}
expectedCookie := &http.Cookie{
Name: setting.LoginCookieName,
Value: "rotated",
Path: setting.AppSubUrl + "/",
Path: expectedCookiePath,
HttpOnly: true,
MaxAge: int(maxAge),
Secure: setting.CookieSecure,