Don't try to set anonymous session cookie on CDN/file domain
ClosedPublic
Actions

Authored by epriestley on Jan 24 2014, 6:42 PM.

Tags

None

Referenced Files

	F15470239: D8057.diff
	Fri, Apr 4, 9:22 PM

	F15449803: D8057.diff
	Fri, Mar 28, 12:21 PM

	F15425425: D8057.diff
	Sun, Mar 23, 4:39 AM

	F15425214: D8057.id18236.diff
	Sun, Mar 23, 3:13 AM

	F15403900: D8057.diff
	Tue, Mar 18, 5:23 AM

	F15397743: D8057.id.diff
	Sun, Mar 16, 10:03 PM

	F15383486: D8057.diff
	Fri, Mar 14, 4:52 PM

	F15377199: D8057.diff
	Thu, Mar 13, 8:22 AM

View All Files

Subscribers

aran

Details

Reviewers

btrahan
csilvers

Maniphest Tasks

Restricted Maniphest Task

Commits

Restricted Diffusion Commit
rP11786fb1cc84: Don't try to set anonymous session cookie on CDN/file domain

Summary

Ref T2380. If an install has a CDN domain configured, but does not list it as an alternate domain (which is standard/correct, but not incredibly common, see T2380), we'll currently try to set anonymous cookies on it. These will correctly fail security rules.

Instead, don't try to set these cookies.

I missed this in testing yesterday because I have a file domain, but I also have it configured as an alternate domain, which allows cookies to be set. Generally, domain management is due for some refactoring.

Test Plan

Set file domain but not as an alternate, logged out, nuked file domain cookies, reloaded page. No error after patch.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

btrahan accepted this revision.Jan 24 2014, 7:26 PM

Closed by commit rP11786fb1cc84 (authored by @epriestley).

Revision Contents
Changeset List

Path

Size

src/

aphront/

AphrontRequest.php

117 lines

applications/

base/

controller/

PhabricatorController.php

8 lines

Diff 18236

View Options

src/aphront/AphrontRequest.php