diff --git a/cmd/web.go b/cmd/web.go index 45f35a35afe..83dfca4e671 100644 --- a/cmd/web.go +++ b/cmd/web.go @@ -97,9 +97,10 @@ func newMacaron() *macaron.Macaron { Config: *setting.SessionConfig, })) m.Use(csrf.Generate(csrf.Options{ - Secret: setting.SecretKey, - SetCookie: true, - Header: "X-Csrf-Token", + Secret: setting.SecretKey, + SetCookie: true, + Header: "X-Csrf-Token", + CookiePath: setting.AppSubUrl, })) m.Use(toolbox.Toolboxer(m, toolbox.Options{ HealthCheckFuncs: []*toolbox.HealthCheckFuncDesc{ diff --git a/modules/middleware/auth.go b/modules/middleware/auth.go index 8fae5d1eced..2bc05697a99 100644 --- a/modules/middleware/auth.go +++ b/modules/middleware/auth.go @@ -48,7 +48,7 @@ func Toggle(options *ToggleOptions) macaron.Handler { if strings.HasSuffix(ctx.Req.RequestURI, "watch") { return } - ctx.SetCookie("redirect_to", "/"+url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI)) + ctx.SetCookie("redirect_to", "/"+url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI), 0, setting.AppSubUrl) ctx.Redirect(setting.AppSubUrl + "/user/login") return } else if !ctx.User.IsActive && setting.Service.RegisterEmailConfirm { diff --git a/modules/middleware/repo.go b/modules/middleware/repo.go index 79b01133bdf..f17018ddf36 100644 --- a/modules/middleware/repo.go +++ b/modules/middleware/repo.go @@ -298,7 +298,7 @@ func RequireTrueOwner() macaron.Handler { return func(ctx *Context) { if !ctx.Repo.IsTrueOwner && !ctx.Repo.IsAdmin { if !ctx.IsSigned { - ctx.SetCookie("redirect_to", "/"+url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI)) + ctx.SetCookie("redirect_to", "/"+url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI), 0, setting.AppSubUrl) ctx.Redirect(setting.AppSubUrl + "/user/login") return } diff --git a/modules/setting/setting.go b/modules/setting/setting.go index 321282df25e..a1ab43d0222 100644 --- a/modules/setting/setting.go +++ b/modules/setting/setting.go @@ -380,6 +380,7 @@ func newSessionService() { SessionConfig = new(session.Config) SessionConfig.ProviderConfig = strings.Trim(Cfg.MustValue("session", "PROVIDER_CONFIG"), "\" ") SessionConfig.CookieName = Cfg.MustValue("session", "COOKIE_NAME", "i_like_gogits") + SessionConfig.CookiePath = AppSubUrl SessionConfig.Secure = Cfg.MustBool("session", "COOKIE_SECURE") SessionConfig.EnableSetCookie = Cfg.MustBool("session", "ENABLE_SET_COOKIE", true) SessionConfig.Gclifetime = Cfg.MustInt64("session", "GC_INTERVAL_TIME", 86400) diff --git a/routers/repo/issue.go b/routers/repo/issue.go index 3a028e58ff3..f854a22bbc6 100644 --- a/routers/repo/issue.go +++ b/routers/repo/issue.go @@ -54,7 +54,7 @@ func Issues(ctx *middleware.Context) { isShowClosed := ctx.Query("state") == "closed" if viewType != "all" && !ctx.IsSigned { - ctx.SetCookie("redirect_to", "/"+url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI)) + ctx.SetCookie("redirect_to", "/"+url.QueryEscape(setting.AppSubUrl+ctx.Req.RequestURI), 0, setting.AppSubUrl) ctx.Redirect(setting.AppSubUrl + "/user/login") return } diff --git a/routers/user/auth.go b/routers/user/auth.go index 71622e55439..c695f929a7f 100644 --- a/routers/user/auth.go +++ b/routers/user/auth.go @@ -52,8 +52,8 @@ func SignIn(ctx *middleware.Context) { defer func() { if !isSucceed { log.Trace("auto-login cookie cleared: %s", uname) - ctx.SetCookie(setting.CookieUserName, "", -1) - ctx.SetCookie(setting.CookieRememberName, "", -1) + ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubUrl) + ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubUrl) return } }() @@ -77,7 +77,7 @@ func SignIn(ctx *middleware.Context) { ctx.Session.Set("uid", u.Id) ctx.Session.Set("uname", u.Name) if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 { - ctx.SetCookie("redirect_to", "", -1) + ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl) ctx.Redirect(redirectTo) return } @@ -113,9 +113,9 @@ func SignInPost(ctx *middleware.Context, form auth.SignInForm) { if form.Remember { days := 86400 * setting.LogInRememberDays - ctx.SetCookie(setting.CookieUserName, u.Name, days) + ctx.SetCookie(setting.CookieUserName, u.Name, days, setting.AppSubUrl) ctx.SetSuperSecureCookie(base.EncodeMd5(u.Rands+u.Passwd), - setting.CookieRememberName, u.Name, days) + setting.CookieRememberName, u.Name, days, setting.AppSubUrl) } // Bind with social account. @@ -135,7 +135,7 @@ func SignInPost(ctx *middleware.Context, form auth.SignInForm) { ctx.Session.Set("uid", u.Id) ctx.Session.Set("uname", u.Name) if redirectTo, _ := url.QueryUnescape(ctx.GetCookie("redirect_to")); len(redirectTo) > 0 { - ctx.SetCookie("redirect_to", "", -1) + ctx.SetCookie("redirect_to", "", -1, setting.AppSubUrl) ctx.Redirect(redirectTo) return } @@ -149,8 +149,8 @@ func SignOut(ctx *middleware.Context) { ctx.Session.Delete("socialId") ctx.Session.Delete("socialName") ctx.Session.Delete("socialEmail") - ctx.SetCookie(setting.CookieUserName, "", -1) - ctx.SetCookie(setting.CookieRememberName, "", -1) + ctx.SetCookie(setting.CookieUserName, "", -1, setting.AppSubUrl) + ctx.SetCookie(setting.CookieRememberName, "", -1, setting.AppSubUrl) ctx.Redirect(setting.AppSubUrl + "/") }