Fix login issue with stale HTTP vs HTTPS cookies
ed33e59c5aa1
Actions

Authored by epriestley <git@epriestley.com> on Aug 19 2011, 20:43.

Description

Fix login issue with stale HTTP vs HTTPS cookies

Summary:
In D758, I tightened the scope for which we issue cookies. Instead of setting
them on the whole domain we set them only on the subdomain, and we set them as
HTTPS only if the install is HTTPS.

However, this can leave the user with a stale HTTP cookie which the browser
sends and which never gets cleared. Handle this situation by:

Clear all four <domain, https> pairs when clearing cookies ("nuke it from

orbit").

Clear 'phsid' cookies when they're invalid.

Test Plan: Applied a hackier version of this patch to secure.phabricator.com and
was able to login with a stale HTTP cookie.

Reviewers: jungejason, tuomaspelkonen, aran

Reviewed By: jungejason

CC: aran, jungejason

Differential Revision: 838

Details

Committed

epriestley <git@epriestley.com>

Aug 19 2011, 23:09

Pushed

aubort

Jan 31 2017, 17:16

Parents

rPH51bd08da279c: Merge pull request #49 from CodeBlock/master

Branches

Unknown

Tags

Unknown

Event Timeline

epriestley <git@epriestley.com> committed rPHed33e59c5aa1: Fix login issue with stale HTTP vs HTTPS cookies (authored by epriestley <git@epriestley.com>).Aug 19 2011, 23:09

Changes (2)

				Path
	M			src/aphront/request/AphrontRequest.php
	M			src/applications/base/controller/base/PhabricatorController.php

Fix login issue with stale HTTP vs HTTPS cookiesed33e59c5aa1Actions

Description

Details

Event Timeline

Changes (2)

rPHed33e59c5aa1

src/aphront/request/AphrontRequest.php

src/applications/base/controller/base/PhabricatorController.php

Fix login issue with stale HTTP vs HTTPS cookies
ed33e59c5aa1
Actions