search

OSC / ood_appkit

https://osc.github.io/Open-OnDemand/
MIT License
1 stars 2 forks source link

Set default cookie path to match RAILS_RELATIVE_URL_ROOT #34

Closed nickjer closed 7 years ago

nickjer commented 7 years ago

Currently the default cookie path is /. This should match the RAILS_RELATIVE_URL_ROOT or whatever Rails helper method that gives this.

ericfranz commented 7 years ago

The default session store is ActionDispatch::Session::CookieStore http://api.rubyonrails.org/classes/ActionDispatch/Session/CookieStore.html

Because CookieStore extends Rack::Session::Abstract::Persisted, many of the options described there can be used to customize the session cookie that is generated

So we can change the path in the initializer that sets the session store. For example in My Jobs we have this file:

https://github.com/OSC/ood-myjobs/blob/e6fd87bde56168dca83403fbeeb85a19ac1b66c8/config/initializers/session_store.rb

Rails.application.config.session_store :cookie_store, key: '_job_constructor_session'

We can add the path argument here:

Rails.application.config.session_store :cookie_store, key: '_job_constructor_session', path: "/pun/sys/myjobs"

Of course we would set this to RAILS_RELATIVE_URL_ROOT or whatever the Rails helper method is. The trick is that if we do this, it has to match the path that the user's browser is sending. There are passenger env vars set that could be used for this.

nickjer commented 7 years ago

I am fine with ENV['RAILS_RELATIVE_URL_ROOT'] that is set by Passenger and we make use of it when we pre-compile assets.

nickjer commented 7 years ago

Yuck, seems we can't inject a default path without some serious monkey-patching here:

https://github.com/rails/rails/blob/b70fc698e157f2a768ba42efac08c08f4786b01c/actionpack/lib/action_dispatch/middleware/cookies.rb#L344-L360

in particular the line:

options[:path] ||= "/"