When Discourse is hosted from a subfolder (e.g.
/forum) it seems that the cookie is still set to the root folder
To me this sounds like a potential security issue. For example, if a forum is hosted in
/forum and a WordPress blog is hosted in
/blog, the cookie with Discourse session is sent also to the WordPress site.
This should be pretty easy to fix by changing
Discourse::Application.config.session_store :cookie_store, key: '_forum_session'
Discourse::Application.config.session_store( :cookie_store, key: '_forum_session', path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root )
/ work also for subdirectory
/forum. So the migration path should be ok.
Does this make sense? I could make a PR if you think this makes sense.