Sign-out deletes only GitLab site data, not all subdomains
What does this MR do and why?
Sign-out deletes only GitLab site data, not all subdomains
Fix sign out process to not delete cookies from all 'sibling' sub-domains through loop-deletting available cookies instead of using Clear-Site-Data
header that seems to delete cookies from the entire domain.
Originally from community contribution MR !142740 (closed)
Related issues:
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Screenshots or screen recordings
Screenshots are required for UI changes, and strongly recommended for all other merge requests.
Before | After |
---|---|
How to set up and validate locally
- Ensure your local GDK is using NGinx and a hostname
- Change your hostname to a subdomain like
subdomain.gdk.test
. We will also need a second subdomain likeothersubdomain.gdk.test
; make sure these are both present in/etc/hosts
-
gdk reconfigure
andgdk restart
to use the subdomain for yourhostname
- Set up
othersubdomain
in Nginx: add the following block togitlab-development-kit/nginx/conf/nginx.conf
after the lastserver {}
block in the file:server { listen othersubdomain.gdk.test:3444; location / { add_header Set-Cookie "tst_cook=capybara; Domain=othersubdomain.gdk.test" always; root ../gitlab/public/; index 422.html; } }
- (optional)
gdk doctor
- ensure this does not output the messagenginx/conf/nginx.conf is not valid!
gdk restart nginx
- Visit
http://othersubdomain.gdk.test:3444
in your browser.- You should see the
422
error page. - Check the cookies for this page in your browser's Web Inspector. You should see the
tst_cook
cookie with "Domain" listed asothersubdomain.gdk.test
- You should see the
- Visit GitLab in your browser at
https://subdomain.gdk.test:3443
(or whatever subdomain and port you have chosen) - Log in, if needed
- Log out
- Reload the web inspector for the page
othersubdomain.gdk.test
- the cookie for that subdomain should still be present
Edited by Andrew Evans