Page MenuHomePhabricator
Differential D8537

Tune cookie behaviors for 'phcid', 'phreg', etc
ClosedPublic
Actions

Authored by epriestley on Mar 14 2014, 7:46 PM.
Tags
None
Referenced Files
F15504232: D8537.id.diff
Mon, Apr 14, 4:54 PM
F15503723: D8537.id20264.diff
Mon, Apr 14, 12:33 PM
F15503551: D8537.id20258.diff
Mon, Apr 14, 10:42 AM
F15502325: D8537.diff
Sun, Apr 13, 11:49 PM
F15424476: D8537.id.diff
Mar 22 2025, 10:34 PM
F15390113: D8537.id20258.diff
Mar 15 2025, 5:55 AM
F15337568: D8537.diff
Mar 9 2025, 6:31 AM
F15309171: D8537.id20258.diff
Mar 6 2025, 6:58 AM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T3471: Be more conservative in overwriting `phcid`
Commits
Restricted Diffusion Commit
rP559c0fe88663: Tune cookie behaviors for 'phcid', 'phreg', etc
Summary

Fixes T3471. Specific issues:

  • Add the ability to set a temporary cookie (expires when the browser closes).
  • We overwrote 'phcid' on every page load. This creates some issues with browser extensions. Instead, only write it if isn't set. To counterbalance this, make it temporary.
  • Make the 'next_uri' cookie temporary.
  • Make the 'phreg' cookie temporary.
  • Fix an issue where deleted cookies would persist after 302 (?) in some cases (this is/was 100% for me locally).
Test Plan
  • Closed my browser, reopned it, verified temporary cookies were gone.
  • Logged in, authed, linked, logged out.

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley updated this revision to Diff 20258.Mar 14 2014, 7:46 PM
epriestley retitled this revision from to Tune cookie behaviors for 'phcid', 'phreg', etc.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a task: T3471: Be more conservative in overwriting `phcid`.
Herald added a subscriber: epriestley.Mar 14 2014, 7:46 PM
btrahan accepted this revision.Mar 14 2014, 8:06 PM
btrahan edited edge metadata.

First I can't have $_GET / $_POST parameters called 'code', and now I can't have $_COOKIE values of 'deleted' ?

Macro suchwow: much sparta such writ

This revision is now accepted and ready to land.Mar 14 2014, 8:06 PM
epriestley added a comment.Mar 14 2014, 8:08 PM

Yeah, this technically burns users with the username deleted, since it won't prefill in the "Username: ..." field anymore.

We could put some kind of escaping on that cookie if anyone ever complains.

epriestley closed this revision.Mar 14 2014, 9:33 PM
epriestley updated this revision to Diff 20264.

Closed by commit rP559c0fe88663 (authored by @epriestley).

Revision Contents
Changeset List

PathSize
src/
aphront/
68 lines
applications/
auth/
constants/
32 lines
controller/
4 lines
2 lines
6 lines

Diff 20264

View Options

src/aphront/AphrontRequest.php

Loading...
View Options

src/applications/auth/constants/PhabricatorCookies.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthLinkController.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthLoginController.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthStartController.php

Loading...
Phabricator · Built by Phacility