Add path to cookie

vikaskedia · June 21, 2017, 3:35pm

@sam I took your suggestion … deleted all the cookies and I still hit the bug.

Please see the attached video:

neil · June 21, 2017, 6:48pm

I can go back and forth between two sites at the same domain, different subfolders, and I don’t see anything out of the ordinary hitting the auth logs.

6 - seen token
5 - rotate
4 - seen token
3 - rotate
...

Those don’t happen very often.

vikaskedia · June 21, 2017, 6:54pm

@neil I can give you access to my system remotely if it helps you debug.

I am able to replicate the bug in the video every time.

neil · June 21, 2017, 6:54pm

I believe you, but subfolder debugging… ugh. Still working on it.

neil · June 21, 2017, 7:51pm

So you deleted your cookies but still have the problem?

vikaskedia · June 21, 2017, 7:54pm

yes … I wanted to make sure I did it … so I also recorded it in the video

neil · June 21, 2017, 8:18pm

Hmm, the problem definitely goes away for me when i’ve cleared cookies. Do yours look like this now?

vikaskedia · June 21, 2017, 8:33pm

Yes !!

neil · June 21, 2017, 8:35pm

I reverted the other fix, so you should undo that change since it’s worse behaviour than before. I don’t understand what you’re seeing, or how to fix what I’m seeing.

vikaskedia · June 21, 2017, 8:37pm

maybe its time for big boss @sam to step in !!

codinghorror · June 21, 2017, 10:13pm

We are deferring on this for now. Running two instances of Discourse on the same domain in different subfolders is not a supported config at the moment. We may circle back to this in a few months, though.

vikaskedia · June 21, 2017, 11:58pm

makes sense … being able to say 'No" creates a great product.

Falco · November 23, 2017, 9:57pm

We will give another go at this soon.

vikaskedia · March 29, 2018, 10:44pm

Please close this issue. It works now. By setting the DISCOURSE_TOKEN_COOKIE env var.

Thanks @Falco @neil

Well done !!

eviltrout · June 26, 2018, 8:30pm

As @vikaskedia mentioned earlier, there is a workaround. You can use a different cookie name for each subfolder by using DISCOURSE_TOKEN_COOKIE in your configuration.

However, there is still a bug here where cookies are not properly restricted to paths on subfolder installs, causing conflicts with their sessions. The only solution is to use a different cookie name for now.

A better fix from a security standpoint would be to restrict to the proper subfolder path per cookie.

codinghorror · June 26, 2018, 8:57pm

Can you scope how much work this would be, in terms of “T-shirt sizing”? Small, Medium, Large, XL, XXL?

sam · June 27, 2018, 7:25am

Somewhere between small and medium. It would log everyone off though when “fixed / changed”

codinghorror · June 27, 2018, 8:03am

Hmm that is fairly traumatic. Is there any way to fix it so it only logs people out on subfolder setups at least?

Topic		Replies	Views
Use a subfolder (path prefix) to serve Discourse with multiple servers sharing a domain Self-Hosting subfolder , how-to , advanced-setup , domains	0	13050	June 26, 2015
Setting the session token '_t' on the entire domain, not just my subdomain Dev	6	5302	May 1, 2016
Install Discourse on a residential internet with Cloudflare Tunnel Sysadmins arm , how-to , raspberry-pi , install	59	7081	October 15, 2024
Discourse session cookies (400 Request Header Or Cookie Too Large) Installation	9	2032	October 20, 2022
Discourse installation for beginners but are willing to be part of the community Installation	62	3566	September 17, 2019

Add path to cookie

Related topics