rap1ds
26 Febbraio 2016, 9:42am
1
When Discourse is hosted from a subfolder (e.g. /forum) it seems that the cookie is still set to the root folder /.
To me this sounds like a potential security issue. For example, if a forum is hosted in /forum and a WordPress blog is hosted in /blog, the cookie with Discourse session is sent also to the WordPress site.
This should be pretty easy to fix by changing config/initializer/100-session_store.rb from
Discourse::Application.config.session_store :cookie_store, key: '_forum_session'
to
Discourse::Application.config.session_store(
:cookie_store,
key: '_forum_session',
path: (Rails.application.config.relative_url_root.nil?) ? '/' : Rails.application.config.relative_url_root
)
To my understanding this change shouldn’t invalidate existing sessions, because cookies for root folder / work also for subdirectory /forum. So the migration path should be ok.
Does this make sense? I could make a PR if you think this makes sense.
3 Mi Piace
rap1ds
26 Febbraio 2016, 10:01am
2
One addition. In this guide Use a subfolder (path prefix) to serve Discourse with multiple servers sharing a domain it says that
Note: This won’t work for serving multiple Discourse instances from different folders on the same domain. You need to use different subdomains so that each site can have different cookies.
So with this change you could remove that note. There’s no need for different subdomain if the cookies are scoped by the path. Or are there any other reasons why one couldn’t host two Discourse instances from different folders?
4 Mi Piace
gerhard
26 Febbraio 2016, 12:19pm
3
It would be nice if Discourse set the correct cookie path, but it’s definitely not a security issue.
2 Mi Piace
@neil we should look at doing this if it is not too risky. Feels risky to me for live sites though…
4 Mi Piace
neil
1 Marzo 2016, 10:05pm
5
Yes please submit a PR.
2 Mi Piace
neil
7 Marzo 2016, 6:43pm
6
I tested the change and it’s safe. Sessions aren’t invalidated. I committed the change today.
Serving multiple Discourse instances from different paths on the same domain will most likely work now, but note that the instances can’t be served from one multisite setup . Multisite is still keyed off of domain, not path.
3 Mi Piace
vikaskedia
20 Giugno 2017, 12:46pm
7
@neil
I have 2 discourse setups.
setup 1 running from www.site.com/d1/
setup 2 running from Salesforce Einstein 1 Platform for Application Development - Salesforce.com US
I cannot remain logged into both the discourse setups at the same time
If I am logged into d1 and I refresh d2 I am logged out of d1.
Both are running in their own docker containers using their own DB
installed using discourse_docker
version is 1.9 beta2
4 Mi Piace
sam
20 Giugno 2017, 1:13pm
8
Yeah we have a bug here:
https://github.com/discourse/discourse/blob/master/lib/auth/default_current_user_provider.rb#L157-L170
We need to explicitly add the path there, just like session has the path.
Unfortunately fixing this will log everyone off on all subfolder installs, but still, it is probably worth fixing.
@neil maybe look at adding path there?
3 Mi Piace
@neil let me know once you commit the fix … I can check it out if it works …
neil
20 Giugno 2017, 5:31pm
10
@vikaskedia I pushed a fix so please try it out.
1 Mi Piace
vikaskedia
20 Giugno 2017, 5:49pm
11
Ok I am following the steps here to upgrade:
If you self-host Discourse, you occasionally need to run a manual update via the command line to get the latest security releases newest libraries. These updates are not picked up in admin/update, which is why you’ll occasionally need to do this additional step.
Discourse itself should be updated about twice a month, by clicking the “Update to Latest Version” button in your admin dashboard (admin/update).
Every two months we recommend SSH’ing into your web server (using putty or your favor…
and will let you know soon
vikaskedia
20 Giugno 2017, 6:59pm
12
@neil damm man … it works !!
I am successfully logged intowww.site.com/d1/ www.site.com/d2/
Very good …
4 Mi Piace
vikaskedia
20 Giugno 2017, 8:23pm
13
@neil I just started getting “internal server error 500” can this be related to the above fix …
The error auto corrects itself in a couple of minutes. So it seems to indicate it is the “rate limiting” issue.
But this is just me using the site and its a beefy server …
and i am seeing it for the first time after i upgraded.
neil
20 Giugno 2017, 8:27pm
14
Looks like your subfolder is missing? “/subfolder/faq”
vikaskedia
20 Giugno 2017, 8:28pm
15
If the subfolder was missing the error will come all the time.
This error is a transient error …
neil
20 Giugno 2017, 9:53pm
16
It sounds like another problem we saw today. @sam seems like this code is being hit in this case too? The cookie is invalid now?
2 Mi Piace
sam
20 Giugno 2017, 9:58pm
17
I tested on local and it tries to reset the cookie, I guess it is failing cause it can no longer reset the cookie from the top level path
3 Mi Piace
vikaskedia
21 Giugno 2017, 4:53am
18
vikaskedia
21 Giugno 2017, 2:46pm
19
Let me know when you release a fix … I will check it out …
sam
21 Giugno 2017, 3:12pm
20
Try deleting cookies, does the problem go away?
I’ll test it out myself to see how it impacts live sites after a deploy.
