Add project prefix in session cookie path (!937) · Merge requests · GitLab.org / gitlab-pages

Naman Jagdish Gala requested to merge ngala/1088-session-cookie-path into master Dec 07, 2023

What does this MR do?

Add project prefix in session cookie path

Setting path variable at cookie level avoids leaking restricted and private projects/subgroups pages under the same top level group.
I have kept this under feature flag: FF_ENABLE_PROJECT_PREFIX_COOKIE_PATH
Related issue: Tech Eval: Set path variable at cookie level to... (#1088 - closed)

Cookie path documentation: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie#pathpath-value

Changelog: added

Recording:

Before this fix	After this fix
Before Session Cookie Path.mov	After Session Cookie Path.mov

TODO

Feature flag
- Added feature flag:
- This feature does not require a feature flag
I added the Changelog trailer to the commits that need to be included in the changelog (e.g. Changelog: added)
I added unit tests or they are not required
I added acceptance tests or they are not required
I added documentation (or it's not required)
I followed code review guidelines
I followed Go Style guidelines

Edited Dec 07, 2023 by Naman Jagdish Gala

Add project prefix in session cookie path

What does this MR do?

Recording:

TODO

Merge request reports