fix: set user agent cookie on host only (without subdomains) (#7297)

This PR changes the domain / prefix of the user agent cookie from including the subdomain to the domain only and therefore changing the prefix from __Secure to __Host. Note: As the cookie is used to determine existing session on the login UI, applying the change will require end-users to start a new session on the next login, since the existing ones cannot be retrieved anymore.
2025-08-13 02:58:11 +00:00 · 2024-02-15 07:53:59 +01:00
parent 198bc017b8
commit d5266ea51c
2 changed files with 5 additions and 1 deletions
--- a/internal/api/http/cookie.go
+++ b/internal/api/http/cookie.go
@@ -147,6 +147,10 @@ func (c *CookieHandler) httpSetWithSameSite(w http.ResponseWriter, name, host, v
 	secure := c.secureOnly || (sameSite == http.SameSiteNoneMode && domain == "localhost")
 	// prefix the cookie for secure cookies (TLS only, therefore not for samesite none on http://localhost)
 	prefixedName := SetCookiePrefix(name, c.secureOnly, c.prefix)
+	// in case the host prefix is set, we need to make sure the domain is not set (otherwise the browser will reject the cookie)
+	if secure && c.prefix == PrefixHost {
+		domain = ""
+	}
 	http.SetCookie(w, &http.Cookie{
 		Name:     prefixedName,
 		Value:    value,