Don't try to set anonymous session cookie on CDN/file domain
ClosedPublic
Actions

Authored by epriestley on Jan 24 2014, 6:42 PM.

Tags

None

Referenced Files

	Unknown Object (File)
	Wed, Sep 4, 1:06 AM

	Unknown Object (File)
	Wed, Aug 28, 5:03 AM

	Unknown Object (File)
	Sun, Aug 25, 4:27 AM

	Unknown Object (File)
	Thu, Aug 22, 10:49 PM

	Unknown Object (File)
	Thu, Aug 22, 10:48 PM

	Unknown Object (File)
	Thu, Aug 22, 10:48 PM

	Unknown Object (File)
	Thu, Aug 22, 10:16 PM

	Unknown Object (File)
	Sun, Aug 18, 11:52 AM

View All Files

Subscribers

aran

Details

Reviewers

btrahan
csilvers

Maniphest Tasks

Restricted Maniphest Task

Commits

Restricted Diffusion Commit
rP11786fb1cc84: Don't try to set anonymous session cookie on CDN/file domain

Summary

Ref T2380. If an install has a CDN domain configured, but does not list it as an alternate domain (which is standard/correct, but not incredibly common, see T2380), we'll currently try to set anonymous cookies on it. These will correctly fail security rules.

Instead, don't try to set these cookies.

I missed this in testing yesterday because I have a file domain, but I also have it configured as an alternate domain, which allows cookies to be set. Generally, domain management is due for some refactoring.

Test Plan

Set file domain but not as an alternate, logged out, nuked file domain cookies, reloaded page. No error after patch.

Diff Detail

Branch

cookiealt

Lint

Lint Passed

Unit

Tests Passed

Event Timeline

btrahan accepted this revision.Jan 24 2014, 7:26 PM

Closed by commit rP11786fb1cc84 (authored by @epriestley).

Revision Contents
Changeset List

Path

Size

src/

aphront/

AphrontRequest.php

117 lines

applications/

base/

controller/

PhabricatorController.php

8 lines

Diff 18232

View Options

src/aphront/AphrontRequest.php