Consolidate use of magical cookie name strings
ClosedPublic
Actions

Authored by epriestley on Jan 23 2014, 5:35 PM.

Details

Reviewers

btrahan

Maniphest Tasks

T4339: Support CSRF for logged-out users

Commits

Summary

Ref T4339. We have more magical cookie names than we should, move them all to a central location.

Test Plan

Registered, logged in, linked account, logged out. See inlines.

Branch

csrf1

Lint

Lint Passed

Severity	Location	Code	Message
Advice	src/aphront/console/DarkConsoleDataController.php:63	XHP14	Misuse of preg_quote()
Advice	src/applications/people/storage/PhabricatorUserLog.php:69	XHP16	TODO Comment

Unit

Tests Passed

src/aphront/console/DarkConsoleDataController.php
61–63	This fixes a small theoretical issue caused by the recent cookie prefix patch, where this filter could fail to strip session keys if you prefixed cookies.
src/applications/auth/controller/PhabricatorAuthController.php
116	This is a GET parameter to the login validation controller, which makes sure you logged in as the user we expect and that your cookies got set correctly. I changed the name to `'expect'` to make it more clear that it is not directly handling the `'phcid'` cookie.
src/applications/auth/controller/PhabricatorAuthStartController.php
27	This fixes two small user experience issues: If the user had a bad `phsid` cookie, but no `phusr` cookie, we wouldn't enter this block, so they'd miss the useful message. If the user had a bad `phsid` cookie with value `"0"`, we wouldn't enter this block.
src/applications/auth/controller/PhabricatorLogoutController.php
36	For consistency, treat the session `"0"` as a real session, although it is vanishingly unlikely to be valid.
55	(Unrelated cleanup, these two versions display identically.)
src/applications/settings/panel/PhabricatorSettingsPanelSessions.php
43–44	Fixes TODO, this table now has a real ID column.