Page MenuHomePhabricator
Differential D8537

Tune cookie behaviors for 'phcid', 'phreg', etc
ClosedPublic
Actions

Authored by epriestley on Mar 14 2014, 7:46 PM.
Tags
None
Referenced Files
F18780613: D8537.id20258.diff
Sun, Oct 12, 5:52 PM
F18760881: D8537.diff
Mon, Oct 6, 11:04 AM
F18735875: D8537.id.diff
Wed, Oct 1, 3:47 AM
F18734690: D8537.id.diff
Tue, Sep 30, 10:59 PM
F18584942: D8537.diff
Sep 11 2025, 2:09 PM
F18107105: D8537.diff
Aug 10 2025, 11:40 PM
F18088348: D8537.diff
Aug 6 2025, 7:34 AM
F17997004: D8537.id20264.diff
Aug 2 2025, 4:48 AM
View All Files
Subscribers
epriestley

Details

Reviewers
btrahan
Maniphest Tasks
T3471: Be more conservative in overwriting `phcid`
Commits
Restricted Diffusion Commit
rP559c0fe88663: Tune cookie behaviors for 'phcid', 'phreg', etc
Summary

Fixes T3471. Specific issues:

  • Add the ability to set a temporary cookie (expires when the browser closes).
  • We overwrote 'phcid' on every page load. This creates some issues with browser extensions. Instead, only write it if isn't set. To counterbalance this, make it temporary.
  • Make the 'next_uri' cookie temporary.
  • Make the 'phreg' cookie temporary.
  • Fix an issue where deleted cookies would persist after 302 (?) in some cases (this is/was 100% for me locally).
Test Plan
  • Closed my browser, reopned it, verified temporary cookies were gone.
  • Logged in, authed, linked, logged out.

Diff Detail

Repository
rP Phabricator
Lint
Lint Skipped
Unit
Tests Skipped

Event Timeline

epriestley updated this revision to Diff 20258.Mar 14 2014, 7:46 PM
epriestley retitled this revision from to Tune cookie behaviors for 'phcid', 'phreg', etc.
epriestley updated this object.
epriestley edited the test plan for this revision. (Show Details)
epriestley added a reviewer: btrahan.
epriestley added a task: T3471: Be more conservative in overwriting `phcid`.
Herald added a subscriber: epriestley.Mar 14 2014, 7:46 PM
btrahan accepted this revision.Mar 14 2014, 8:06 PM
btrahan edited edge metadata.

First I can't have $_GET / $_POST parameters called 'code', and now I can't have $_COOKIE values of 'deleted' ?

Macro suchwow: much sparta such writ

This revision is now accepted and ready to land.Mar 14 2014, 8:06 PM
epriestley added a comment.Mar 14 2014, 8:08 PM

Yeah, this technically burns users with the username deleted, since it won't prefill in the "Username: ..." field anymore.

We could put some kind of escaping on that cookie if anyone ever complains.

epriestley closed this revision.Mar 14 2014, 9:33 PM
epriestley updated this revision to Diff 20264.

Closed by commit rP559c0fe88663 (authored by @epriestley).

Revision Contents
Changeset List

PathSize
src/
aphront/
68 lines
applications/
auth/
constants/
32 lines
controller/
4 lines
2 lines
6 lines

Diff 20264

View Options

src/aphront/AphrontRequest.php

Loading...
View Options

src/applications/auth/constants/PhabricatorCookies.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthLinkController.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthLoginController.php

Loading...
View Options

src/applications/auth/controller/PhabricatorAuthStartController.php

Loading...
Phabricator · Built by Phacility