Add path to cookie

rap1ds · February 26, 2016, 9:42am

When Discourse is hosted from a subfolder (e.g. /forum) it seems that the cookie is still set to the root folder /.

To me this sounds like a potential security issue. For example, if a forum is hosted in /forum and a WordPress blog is hosted in /blog, the cookie with Discourse session is sent also to the WordPress site.

This should be pretty easy to fix by changing config/initializer/100-session_store.rb from

Discourse::Application.config.session_store :cookie_store, key: '_forum_session'

to

Discourse::Application.config.session_store(
  :cookie_store,
  key: '_forum_session',
  path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
)

To my understanding this change shouldn’t invalidate existing sessions, because cookies for root folder / work also for subdirectory /forum. So the migration path should be ok.

Does this make sense? I could make a PR if you think this makes sense.

rap1ds · February 26, 2016, 10:01am

One addition. In this guide Use a subfolder (path prefix) to serve Discourse with multiple servers sharing a domain it says that

Note: This won’t work for serving multiple Discourse instances from different folders on the same domain. You need to use different subdomains so that each site can have different cookies.

So with this change you could remove that note. There’s no need for different subdomain if the cookies are scoped by the path. Or are there any other reasons why one couldn’t host two Discourse instances from different folders?

gerhard · February 26, 2016, 12:19pm

It would be nice if Discourse set the correct cookie path, but it’s definitely not a security issue.

codinghorror · February 26, 2016, 8:54pm

@neil we should look at doing this if it is not too risky. Feels risky to me for live sites though…

neil · March 1, 2016, 10:05pm

Yes please submit a PR. I’ll test it out myself to see how it impacts live sites after a deploy.

neil · March 7, 2016, 6:43pm

I tested the change and it’s safe. Sessions aren’t invalidated. I committed the change today.

Serving multiple Discourse instances from different paths on the same domain will most likely work now, but note that the instances can’t be served from one multisite setup. Multisite is still keyed off of domain, not path.

vikaskedia · June 20, 2017, 12:46pm

@neil

I have 2 discourse setups.

setup 1 running from www.site.com/d1/

setup 2 running from Salesforce Einstein 1 Platform for Application Development - Salesforce.com US

Problems noticed

I cannot remain logged into both the discourse setups at the same time
If I am logged into d1 and I refresh d2 I am logged out of d1.

More information about the setup:

Both are running in their own docker containers using their own DB
installed using discourse_docker
version is 1.9 beta2

sam · June 20, 2017, 1:13pm

Yeah we have a bug here:

https://github.com/discourse/discourse/blob/master/lib/auth/default_current_user_provider.rb#L157-L170

We need to explicitly add the path there, just like session has the path.

Unfortunately fixing this will log everyone off on all subfolder installs, but still, it is probably worth fixing.

@neil maybe look at adding path there?

vikaskedia · June 20, 2017, 2:49pm

@neil let me know once you commit the fix … I can check it out if it works …

neil · June 20, 2017, 5:31pm

@vikaskedia I pushed a fix so please try it out.

vikaskedia · June 20, 2017, 5:49pm

Ok I am following the steps here to upgrade:

and will let you know soon

vikaskedia · June 20, 2017, 6:59pm

@neil damm man … it works !!

I am successfully logged into
www.site.com/d1/
and
www.site.com/d2/

Very good …

vikaskedia · June 20, 2017, 8:23pm

@neil I just started getting “internal server error 500” can this be related to the above fix …

The error auto corrects itself in a couple of minutes. So it seems to indicate it is the “rate limiting” issue.

But this is just me using the site and its a beefy server …

and i am seeing it for the first time after i upgraded.

neil · June 20, 2017, 8:27pm

Looks like your subfolder is missing? “/subfolder/faq”

vikaskedia · June 20, 2017, 8:28pm

If the subfolder was missing the error will come all the time.

This error is a transient error …

neil · June 20, 2017, 9:53pm

It sounds like another problem we saw today. @sam seems like this code is being hit in this case too? The cookie is invalid now?

sam · June 20, 2017, 9:58pm

I tested on local and it tries to reset the cookie, I guess it is failing cause it can no longer reset the cookie from the top level path

vikaskedia · June 21, 2017, 4:53am

Related ?
https://meta.discourse.org/t/video-demo-of-oauth2-failing-intermitently/64835

vikaskedia · June 21, 2017, 2:46pm

Let me know when you release a fix … I will check it out …

sam · June 21, 2017, 3:12pm

Try deleting cookies, does the problem go away?

Topic		Replies	Views
Use a subfolder (path prefix) to serve Discourse with multiple servers sharing a domain Self-Hosting subfolder , how-to , advanced-setup , domains	0	13047	June 26, 2015
Setting the session token '_t' on the entire domain, not just my subdomain Dev	6	5301	May 1, 2016
Install Discourse on a residential internet with Cloudflare Tunnel Sysadmins arm , how-to , raspberry-pi , install	59	7075	October 15, 2024
Discourse session cookies (400 Request Header Or Cookie Too Large) Installation	9	2031	October 20, 2022
Discourse installation for beginners but are willing to be part of the community Installation	62	3565	September 17, 2019

Add path to cookie

Problems noticed

More information about the setup:

Related topics