From 0087f939892e9eef5a642b84615ada6c0cdbdcd6 Mon Sep 17 00:00:00 2001 From: Eric Eastwood Date: Thu, 1 Jun 2017 01:15:58 -0500 Subject: Update session cookie key name to be unique to instance in development Fix https://gitlab.com/gitlab-org/gitlab-ce/issues/31644 --- changelogs/unreleased/31644-make-cookie-sessions-unique.yml | 4 ++++ config/initializers/session_store.rb | 8 +++++++- 2 files changed, 11 insertions(+), 1 deletion(-) create mode 100644 changelogs/unreleased/31644-make-cookie-sessions-unique.yml diff --git a/changelogs/unreleased/31644-make-cookie-sessions-unique.yml b/changelogs/unreleased/31644-make-cookie-sessions-unique.yml new file mode 100644 index 00000000000..e9a6a32cf70 --- /dev/null +++ b/changelogs/unreleased/31644-make-cookie-sessions-unique.yml @@ -0,0 +1,4 @@ +--- +title: Update session cookie key name to be unique to instance in development +merge_request: +author: diff --git a/config/initializers/session_store.rb b/config/initializers/session_store.rb index 70be2617cab..8919f7640fe 100644 --- a/config/initializers/session_store.rb +++ b/config/initializers/session_store.rb @@ -10,6 +10,12 @@ rescue Settings.gitlab['session_expire_delay'] ||= 10080 end +cookie_key = if Rails.env.development? + "_gitlab_session_#{Digest::SHA256.hexdigest(Rails.root.to_s)}" + else + "_gitlab_session" + end + if Rails.env.test? Gitlab::Application.config.session_store :cookie_store, key: "_gitlab_session" else @@ -19,7 +25,7 @@ else Gitlab::Application.config.session_store( :redis_store, # Using the cookie_store would enable session replay attacks. servers: redis_config, - key: '_gitlab_session', + key: cookie_key, secure: Gitlab.config.gitlab.https, httponly: true, expires_in: Settings.gitlab['session_expire_delay'] * 60, -- cgit v1.2.1