Fix sign out process to not delete cookies from all 'sibling' sub-domains
What does this MR do and why?
Fix sign out process to not delete cookies from all 'sibling' sub-domains through loop-deletting available cookies instead of using Clear-Site-Data
header that seems to delete cookies from the entire domain.
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
This MR is probably still missing:
-
Someone that can evaluate whether there are any unintended side-effects of changing this mechanic -
Someone that can actually test it manually in a test environment -
Someone that can write a test case for this behavior change
How to set up and validate locally
- Have GitLab self-hosted in a subdomain (say gitlab.example.com)
- Have other applications hosted in sibling sub-domains (say my-app.example.com)
- Log in to GitLab
- Log in to your custom application that uses cookies for sessions
- Log out of GitLab
- Any other application hosted in sibling sub-domains (anything.example.com) should keep their cookie-based sessions
Close #438965 (closed)
Edited by Guilherme C. Souza