Homestyx hydra
Diffusion hydra ed33e59c5aa1

Fix login issue with stale HTTP vs HTTPS cookies
ed33e59c5aa1
Actions

Description

Fix login issue with stale HTTP vs HTTPS cookies

Summary:
In D758, I tightened the scope for which we issue cookies. Instead of setting
them on the whole domain we set them only on the subdomain, and we set them as
HTTPS only if the install is HTTPS.

However, this can leave the user with a stale HTTP cookie which the browser
sends and which never gets cleared. Handle this situation by:

  • Clear all four <domain, https> pairs when clearing cookies ("nuke it from

orbit").

  • Clear 'phsid' cookies when they're invalid.

Test Plan: Applied a hackier version of this patch to secure.phabricator.com and
was able to login with a stale HTTP cookie.

Reviewers: jungejason, tuomaspelkonen, aran

Reviewed By: jungejason

CC: aran, jungejason

Differential Revision: 838

Details

Provenance
epriestleyAuthored on Aug 19 2011, 2:43 PM
sirocylPushed on Oct 16 2024, 5:49 AM
Parents
R1:51bd08da279c: Merge pull request #49 from CodeBlock/master
Branches
Unknown
Tags
Unknown

Event Timeline

Changes (2)

PathSize
src/
aphront/
request/
applications/
base/
controller/
base/

R1:ed33e59c5aa1

View Options

src/aphront/request/AphrontRequest.php

Loading...
View Options

src/applications/base/controller/base/PhabricatorController.php

Loading...
styx copyright 2020 sirocyl / ellie (kymkdd) / ncommander / styx contributors
Use of other names and brands is not intended to reflect a claim of, or right to, use the name or brand.
styx is an operating system using the Linux kernel and components, and "styx Linux" as a phrase does not reflect the inclusion of the Linux brand or trademark in the styx project.
Linux® is the registered trademark of Linus Torvalds in the U.S. and other countries.
Terms and Conditions (TODO: fix this!)