Don't try to set anonymous session cookie on CDN/file domain
ClosedPublic
Actions

Authored by epriestley on Jan 24 2014, 6:42 PM.

Tags

None

Referenced Files

	F14839667: D8057.id18232.diff
	Sat, Feb 1, 12:15 AM

	F14839054: D8057.diff
	Fri, Jan 31, 8:07 PM

	Unknown Object (File)
	Thu, Jan 23, 7:54 PM

	Unknown Object (File)
	Tue, Jan 14, 4:47 AM

	Unknown Object (File)
	Thu, Jan 2, 7:34 PM

	Unknown Object (File)
	Dec 20 2024, 8:21 PM

	Unknown Object (File)
	Dec 15 2024, 5:26 PM

	Unknown Object (File)
	Dec 15 2024, 2:21 PM

View All Files

Subscribers

aran

Details

Reviewers

btrahan
csilvers

Maniphest Tasks

Restricted Maniphest Task

Commits

Restricted Diffusion Commit
rP11786fb1cc84: Don't try to set anonymous session cookie on CDN/file domain

Summary

Ref T2380. If an install has a CDN domain configured, but does not list it as an alternate domain (which is standard/correct, but not incredibly common, see T2380), we'll currently try to set anonymous cookies on it. These will correctly fail security rules.

Instead, don't try to set these cookies.

I missed this in testing yesterday because I have a file domain, but I also have it configured as an alternate domain, which allows cookies to be set. Generally, domain management is due for some refactoring.

Test Plan

Set file domain but not as an alternate, logged out, nuked file domain cookies, reloaded page. No error after patch.

Diff Detail

Lint

Lint Skipped

Unit

Tests Skipped

Event Timeline

btrahan accepted this revision.Jan 24 2014, 7:26 PM

Closed by commit rP11786fb1cc84 (authored by @epriestley).

Revision Contents
Changeset List

Path

Size

src/

aphront/

AphrontRequest.php

117 lines

applications/

base/

controller/

PhabricatorController.php

8 lines

Diff 18236

View Options

src/aphront/AphrontRequest.php