fix: set user agent cookie on host only (without subdomains) (#7297)

This PR changes the domain / prefix of the user agent cookie from including the subdomain to the domain only and therefore changing the prefix from __Secure to __Host. Note: As the cookie is used to determine existing session on the login UI, applying the change will require end-users to start a new session on the next login, since the existing ones cannot be retrieved anymore.
2024-12-13 03:24:26 +00:00 · 2024-02-15 07:53:59 +01:00 · 2024-02-15 07:53:59 +01:00 · d5266ea51c
commit d5266ea51c
parent 198bc017b8
2 changed files with 5 additions and 1 deletions
--- a/internal/api/http/cookie.go
+++ b/internal/api/http/cookie.go
@ -147,6 +147,10 @@ func (c *CookieHandler) httpSetWithSameSite(w http.ResponseWriter, name, host, v
 	secure := c.secureOnly || (sameSite == http.SameSiteNoneMode && domain == "localhost")
 	// prefix the cookie for secure cookies (TLS only, therefore not for samesite none on http://localhost)
 	prefixedName := SetCookiePrefix(name, c.secureOnly, c.prefix)
+	// in case the host prefix is set, we need to make sure the domain is not set (otherwise the browser will reject the cookie)
+	if secure && c.prefix == PrefixHost {
+		domain = ""
+	}
 	http.SetCookie(w, &http.Cookie{
 		Name:     prefixedName,
 		Value:    value,
--- a/internal/api/http/middleware/user_agent_cookie.go
+++ b/internal/api/http/middleware/user_agent_cookie.go
@ -46,7 +46,7 @@ func NewUserAgentHandler(config *UserAgentCookieConfig, cookieKey []byte, idGene
 	opts := []http_utils.CookieHandlerOpt{
 		http_utils.WithEncryption(cookieKey, cookieKey),
 		http_utils.WithMaxAge(int(config.MaxAge.Seconds())),
-		http_utils.WithPrefix(http_utils.PrefixSecure),
+		http_utils.WithPrefix(http_utils.PrefixHost),
 	}
 	if !externalSecure {
 		opts = append(opts, http_utils.WithUnsecure())