Don't try to set anonymous session cookie on CDN/file domain
ClosedPublic
Actions

Authored by epriestley on Jan 24 2014, 6:42 PM.

Tags

None

Referenced Files

	F13392169: D8057.id18236.diff
	Tue, Jul 2, 1:29 PM

	F13392070: D8057.id.diff
	Tue, Jul 2, 1:01 PM

	F13392069: D8057.id18232.diff
	Tue, Jul 2, 1:01 PM

	F13391969: D8057.diff
	Tue, Jul 2, 12:39 PM

	F13389332: D8057.diff
	Mon, Jul 1, 6:36 PM

	F13384582: D8057.id18232.diff
	Sun, Jun 30, 5:19 PM

	F13381044: D8057.diff
	Sat, Jun 29, 8:17 PM

	F13309081: D8057.diff
	Mon, Jun 10, 9:29 AM

View All Files

Subscribers

aran

Details

Reviewers

btrahan
csilvers

Maniphest Tasks

Restricted Maniphest Task

Commits

Restricted Diffusion Commit
rP11786fb1cc84: Don't try to set anonymous session cookie on CDN/file domain

Summary

Ref T2380. If an install has a CDN domain configured, but does not list it as an alternate domain (which is standard/correct, but not incredibly common, see T2380), we'll currently try to set anonymous cookies on it. These will correctly fail security rules.

Instead, don't try to set these cookies.

I missed this in testing yesterday because I have a file domain, but I also have it configured as an alternate domain, which allows cookies to be set. Generally, domain management is due for some refactoring.

Test Plan

Set file domain but not as an alternate, logged out, nuked file domain cookies, reloaded page. No error after patch.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

btrahan accepted this revision.Jan 24 2014, 7:26 PM

Closed by commit rP11786fb1cc84 (authored by @epriestley).

Revision Contents
Changeset List

Path

Size

src/

aphront/

AphrontRequest.php

117 lines

applications/

base/

controller/

PhabricatorController.php

8 lines

Diff 18236

View Options

src/aphront/AphrontRequest.php