Signing out of GitLab clear cookies for all applications in sibling sub-domains
Summary
Signing out of GitLab clear cookies (ends sessions) for all applications in sibling sub-domains.
Steps to reproduce
- Scenario: 1.1. Have GitLab self-hosted in a subdomain (say gitlab.example.com) 1.2. Have other applications hosted in sibling sub-domains (say my-app.example.com)
- Log in to GitLab
- Log in to your custom application that uses cookies for sessions
- Log out of GitLab
- Any other application hosted in sibling sub-domains (anything.example.com) should have lost their cookie-based sessions
What is the current bug behavior?
Signing out of GitLab clear cookies (ends sessions) for all applications in sibling sub-domains.
What is the expected correct behavior?
Signing out of GitLab should only invalidate cookies for it's own sub-domain. Leaving any other applications alone.
Results of GitLab environment info
Expand for output related to GitLab environment info
System information System: Ubuntu 22.04 Proxy: no Current User: git Using RVM: no Ruby Version: 3.1.4p223 Gem Version: 3.4.22 Bundler Version:2.4.22 Rake Version: 13.0.6 Redis Version: 7.0.14 Sidekiq Version:6.5.12 Go Version: unknown GitLab information Version: 16.7.0-ee Revision: 9e7d34f7ff1 Directory: /opt/gitlab/embedded/service/gitlab-rails DB Adapter: PostgreSQL DB Version: 14.7 URL: https://redacted HTTP Clone URL: https://redacted/some-group/some-project.git SSH Clone URL: git@redacted:some-group/some-project.git Elasticsearch: no Geo: no Using LDAP: yes Using Omniauth: yes Omniauth Providers: oauth2_generic GitLab Shell Version: 14.32.0 Repository storages: - default: unix:/var/opt/gitlab/gitaly/gitaly.socket GitLab Shell path: /opt/gitlab/embedded/service/gitlab-shell Gitaly - default Address: unix:/var/opt/gitlab/gitaly/gitaly.socket - default Version: 16.7.0 - default Git Version: 2.42.0
Results of GitLab application Check
Expand for output related to the GitLab application check
Checking GitLab subtasks ...Checking GitLab Shell ...
GitLab Shell: ... GitLab Shell version >= 14.32.0 ? ... OK (14.32.0) Running /opt/gitlab/embedded/service/gitlab-shell/bin/check Internal API available: OK Redis available via internal API: OK gitlab-shell self-check successful
Checking GitLab Shell ... Finished
Checking Gitaly ...
Gitaly: ... default ... OK
Checking Gitaly ... Finished
Checking Sidekiq ...
Sidekiq: ... Running? ... yes Number of Sidekiq processes (cluster/worker) ... 1/1
Checking Sidekiq ... Finished
Checking Incoming Email ...
Incoming Email: ... Reply by email is disabled in config/gitlab.yml
Checking Incoming Email ... Finished
Checking LDAP ...
LDAP: ... Server: ldapmain LDAP authentication... Success LDAP users with access to your GitLab server (only showing the first 100 results) User output sanitized. Found 100 users of 100 limit.
Checking LDAP ... Finished
Checking GitLab App ...
Database config exists? ... yes Tables are truncated? ... skipped All migrations up? ... yes Database contains orphaned GroupMembers? ... no GitLab config exists? ... yes GitLab config up to date? ... yes Cable config exists? ... yes Resque config exists? ... yes Log directory writable? ... yes Tmp directory writable? ... yes Uploads directory exists? ... yes Uploads directory has correct permissions? ... yes Uploads directory tmp has correct permissions? ... yes Systemd unit files or init script exist? ... skipped (omnibus-gitlab has neither init script nor systemd units) Systemd unit files or init script up-to-date? ... skipped (omnibus-gitlab has neither init script nor systemd units) Projects have namespace: ... 52/1 ... yes 228/4 ... yes 16/56 ... yes 16/57 ... yes 16/58 ... yes 16/59 ... yes 16/60 ... yes 15/62 ... yes 15/63 ... yes 15/64 ... yes 15/65 ... yes 15/66 ... yes 15/67 ... yes 15/68 ... yes 15/69 ... yes 15/70 ... yes 15/71 ... yes 15/72 ... yes 42/73 ... yes 42/74 ... yes 3/76 ... yes 88/77 ... yes 88/78 ... yes 88/79 ... yes 88/80 ... yes 88/81 ... yes 88/82 ... yes 88/83 ... yes 88/84 ... yes 88/85 ... yes 102/86 ... yes 101/87 ... yes 101/216 ... yes 101/217 ... yes 101/218 ... yes 101/219 ... yes 101/220 ... yes 101/221 ... yes 101/222 ... yes 101/223 ... yes 101/224 ... yes 101/225 ... yes 101/226 ... yes 101/227 ... yes 101/228 ... yes 101/229 ... yes 101/231 ... yes 101/232 ... yes 101/233 ... yes 101/234 ... yes 101/235 ... yes 101/236 ... yes 101/237 ... yes 101/238 ... yes 101/239 ... yes 101/240 ... yes 101/241 ... yes 101/243 ... yes 101/244 ... yes 101/245 ... yes 101/246 ... yes 101/247 ... yes 101/248 ... yes 101/249 ... yes 101/250 ... yes 101/251 ... yes 101/252 ... yes 101/253 ... yes 101/254 ... yes 101/255 ... yes 101/256 ... yes 101/257 ... yes 101/258 ... yes 101/259 ... yes 101/260 ... yes 101/261 ... yes 101/262 ... yes 101/263 ... yes 101/264 ... yes 101/265 ... yes 101/266 ... yes 101/267 ... yes 114/270 ... yes 114/271 ... yes 114/272 ... yes 114/273 ... yes 110/274 ... yes 110/275 ... yes 110/279 ... yes 135/281 ... yes 141/283 ... yes 141/284 ... yes 141/285 ... yes 42/286 ... yes 101/287 ... yes 141/288 ... yes 143/289 ... yes 143/290 ... yes 136/291 ... yes 101/293 ... yes 145/294 ... yes 136/296 ... yes 198/299 ... yes 135/300 ... yes 192/303 ... yes 155/304 ... yes 155/305 ... yes 155/306 ... yes 155/307 ... yes 155/308 ... yes 155/309 ... yes 137/310 ... yes 192/311 ... yes 192/312 ... yes 192/313 ... yes 135/314 ... yes 101/315 ... yes 40/316 ... yes 193/317 ... yes 195/318 ... yes 193/319 ... yes 193/320 ... yes 193/321 ... yes 195/322 ... yes 138/323 ... yes 195/324 ... yes 193/325 ... yes 193/326 ... yes 42/327 ... yes 198/328 ... yes 198/329 ... yes 198/330 ... yes 198/331 ... yes 198/332 ... yes 198/333 ... yes 192/335 ... yes 192/336 ... yes 206/338 ... yes 206/339 ... yes 206/340 ... yes 206/341 ... yes 206/342 ... yes 206/343 ... yes 206/344 ... yes 127/345 ... yes 137/346 ... yes 224/347 ... yes 203/349 ... yes 227/350 ... yes 227/351 ... yes 228/352 ... yes 231/353 ... yes 231/354 ... yes 231/355 ... yes 224/356 ... yes 228/357 ... yes 193/371 ... yes 228/372 ... yes 228/374 ... yes 42/375 ... yes 228/376 ... yes 228/377 ... yes 135/378 ... yes 228/379 ... yes 3/380 ... yes 192/381 ... yes 101/382 ... yes 101/388 ... yes 228/390 ... yes 241/392 ... yes 228/393 ... yes 228/394 ... yes 228/396 ... yes 228/399 ... yes 135/400 ... yes 228/401 ... yes 261/402 ... yes 261/403 ... yes 261/404 ... yes 261/405 ... yes 261/406 ... yes 261/407 ... yes 101/410 ... yes 42/411 ... yes 266/412 ... yes 266/413 ... yes 266/414 ... yes 266/415 ... yes 266/416 ... yes 266/417 ... yes 266/418 ... yes 266/419 ... yes 266/420 ... yes 241/421 ... yes 135/422 ... yes 193/423 ... yes 597/425 ... yes 42/427 ... yes 309/428 ... yes 309/429 ... yes 309/430 ... yes 309/431 ... yes 309/432 ... yes 309/433 ... yes 309/434 ... yes 309/435 ... yes 309/436 ... yes 309/437 ... yes 304/438 ... yes 304/439 ... yes 304/440 ... yes 304/441 ... yes 304/442 ... yes 304/443 ... yes 304/444 ... yes 238/445 ... yes 238/446 ... yes 238/447 ... yes 357/448 ... yes 357/449 ... yes 357/450 ... yes 357/451 ... yes 357/452 ... yes 357/453 ... yes 357/454 ... yes 357/455 ... yes 228/456 ... yes 366/457 ... yes 42/458 ... yes 309/459 ... yes 309/460 ... yes 309/461 ... yes 309/462 ... yes 309/463 ... yes 371/464 ... yes 373/465 ... yes 373/466 ... yes 373/467 ... yes 373/468 ... yes 373/469 ... yes 373/470 ... yes 135/471 ... yes 374/472 ... yes 374/473 ... yes 374/474 ... yes 382/475 ... yes 382/476 ... yes 382/477 ... yes 382/478 ... yes 382/479 ... yes 382/480 ... yes 382/481 ... yes 382/482 ... yes 382/483 ... yes 382/484 ... yes 382/485 ... yes 382/486 ... yes 382/487 ... yes 382/488 ... yes 382/489 ... yes 382/490 ... yes 138/491 ... yes 389/492 ... yes 389/493 ... yes 389/494 ... yes 389/495 ... yes 389/496 ... yes 389/497 ... yes 389/498 ... yes 389/499 ... yes 135/500 ... yes 42/502 ... yes 40/503 ... yes 42/504 ... yes 448/506 ... yes 448/507 ... yes 448/508 ... yes 448/509 ... yes 448/510 ... yes 448/511 ... yes 448/512 ... yes 448/513 ... yes 448/514 ... yes 101/515 ... yes 110/516 ... yes 42/517 ... yes 101/519 ... yes 458/520 ... yes 40/521 ... yes 135/522 ... yes 461/523 ... yes 460/524 ... yes 460/525 ... yes 460/526 ... yes 460/527 ... yes 460/528 ... yes 460/529 ... yes 460/530 ... yes 460/531 ... yes 460/532 ... yes 42/534 ... yes 462/535 ... yes 462/536 ... yes 40/538 ... yes 40/539 ... yes 456/540 ... yes 456/541 ... yes 456/542 ... yes 456/543 ... yes 456/544 ... yes 457/545 ... yes 457/546 ... yes 457/547 ... yes 457/548 ... yes 457/549 ... yes 457/550 ... yes 457/551 ... yes 457/552 ... yes 457/553 ... yes 457/554 ... yes 457/555 ... yes 457/556 ... yes 457/557 ... yes 457/558 ... yes 457/559 ... yes 457/560 ... yes 457/561 ... yes 40/562 ... yes 460/563 ... yes 460/564 ... yes 460/565 ... yes 137/566 ... yes 42/567 ... yes 40/568 ... yes 469/569 ... yes 469/571 ... yes 101/572 ... yes 487/573 ... yes 487/574 ... yes 487/575 ... yes 487/576 ... yes 487/577 ... yes 487/578 ... yes 487/579 ... yes 487/580 ... yes 487/581 ... yes 487/582 ... yes 101/583 ... yes 475/584 ... yes 597/589 ... yes 42/590 ... yes 469/591 ... yes 40/592 ... yes 523/594 ... yes 523/595 ... yes 523/596 ... yes 523/597 ... yes 523/598 ... yes 523/599 ... yes 523/600 ... yes 523/601 ... yes 523/602 ... yes 523/603 ... yes 523/604 ... yes 469/605 ... yes 643/606 ... yes 643/607 ... yes 469/608 ... yes 476/609 ... yes 42/610 ... yes 42/611 ... yes 473/612 ... yes 455/613 ... yes 455/614 ... yes 455/615 ... yes 455/616 ... yes 455/617 ... yes 455/618 ... yes 455/619 ... yes 455/620 ... yes 455/621 ... yes 582/624 ... yes 582/625 ... yes 582/626 ... yes 582/627 ... yes 582/628 ... yes 582/629 ... yes 582/630 ... yes 582/631 ... yes 582/632 ... yes 192/633 ... yes 588/634 ... yes 224/635 ... yes 594/636 ... yes 594/637 ... yes 6/638 ... yes 228/639 ... yes 228/640 ... yes 597/641 ... yes 582/642 ... yes 582/643 ... yes 582/644 ... yes 582/645 ... yes 582/646 ... yes 582/647 ... yes 582/648 ... yes 582/649 ... yes 597/650 ... yes 597/651 ... yes 597/652 ... yes 597/653 ... yes 597/654 ... yes 597/655 ... yes 603/656 ... yes 603/657 ... yes 603/658 ... yes 469/660 ... yes 603/661 ... yes 597/662 ... yes 604/663 ... yes 604/664 ... yes 604/665 ... yes 604/666 ... yes 604/667 ... yes 604/668 ... yes 604/669 ... yes 604/670 ... yes 604/671 ... yes 604/672 ... yes 604/673 ... yes 604/674 ... yes 604/675 ... yes 604/676 ... yes 604/677 ... yes 604/678 ... yes 604/679 ... yes 604/680 ... yes 604/681 ... yes 604/682 ... yes 604/683 ... yes 603/684 ... yes 597/685 ... yes 42/686 ... yes 42/687 ... yes 597/688 ... yes 597/689 ... yes 582/691 ... yes 582/692 ... yes 582/693 ... yes 582/694 ... yes 582/695 ... yes 582/696 ... yes 42/697 ... yes 612/698 ... yes 588/699 ... yes 473/700 ... yes 473/701 ... yes 617/702 ... yes 617/703 ... yes 617/704 ... yes 617/705 ... yes 617/706 ... yes 617/707 ... yes 617/708 ... yes 617/709 ... yes 617/710 ... yes 617/711 ... yes 617/712 ... yes 617/713 ... yes 617/714 ... yes 617/715 ... yes 617/716 ... yes 617/717 ... yes 617/718 ... yes 617/720 ... yes 617/721 ... yes 617/722 ... yes 42/723 ... yes 630/724 ... yes 630/725 ... yes 630/726 ... yes 630/727 ... yes 630/728 ... yes 630/729 ... yes 630/730 ... yes 630/731 ... yes 630/732 ... yes 630/733 ... yes 636/734 ... yes 636/735 ... yes 636/736 ... yes 636/737 ... yes 636/738 ... yes 636/739 ... yes 588/740 ... yes 645/742 ... yes 649/743 ... yes 649/744 ... yes 649/745 ... yes 649/746 ... yes 649/747 ... yes 649/748 ... yes 649/749 ... yes 649/750 ... yes 40/752 ... yes 40/753 ... yes 588/754 ... yes 703/755 ... yes 703/756 ... yes 703/757 ... yes 703/758 ... yes 703/759 ... yes 703/760 ... yes 703/761 ... yes 703/762 ... yes 703/763 ... yes 645/764 ... yes 192/765 ... yes 1254/766 ... yes 1249/767 ... yes 1251/768 ... yes 1253/769 ... yes 1250/770 ... yes 1252/771 ... yes 1255/772 ... yes 1244/773 ... yes 1244/774 ... yes 1244/775 ... yes 1244/776 ... yes 1273/777 ... yes 492/778 ... yes 1249/779 ... yes 1284/780 ... yes 1281/781 ... yes 228/782 ... yes 42/783 ... yes 1245/784 ... yes 1245/785 ... yes 1245/786 ... yes 1245/787 ... yes 1245/788 ... yes 1245/789 ... yes 1245/790 ... yes 1245/791 ... yes 1245/792 ... yes 1245/793 ... yes 1245/794 ... yes 1245/795 ... yes 1245/796 ... yes 1245/797 ... yes 1245/798 ... yes 1283/799 ... yes 1282/800 ... yes 1285/801 ... yes 1245/802 ... yes 143/803 ... yes 588/804 ... yes 588/806 ... yes 42/807 ... yes 228/808 ... yes Redis version >= 6.0.0? ... yes Ruby version >= 3.0.6 ? ... yes (3.1.4) Git user has default SSH configuration? ... yes Active users: ... 125 Is authorized keys file accessible? ... yes GitLab configured to store new projects in hashed storage? ... yes All projects are in hashed storage? ... yes Elasticsearch version 7.x-8.x or OpenSearch version 1.x ... skipped (Advanced Search is disabled) All migrations must be finished before doing a major upgrade ... skipped (Advanced Search is disabled)
Checking GitLab App ... Finished
Checking GitLab subtasks ... Finished
Possible fixes
Maybe a more conservative way of clearing cookies?