Skip to content

Fix sign out process to not delete cookies from all 'sibling' sub-domains

Guilherme C. Souza requested to merge GCSBOSS/gitlab:fix-signout-del-sibling-cookies into master

What does this MR do and why?

Fix sign out process to not delete cookies from all 'sibling' sub-domains through loop-deletting available cookies instead of using Clear-Site-Data header that seems to delete cookies from the entire domain.

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

This MR is probably still missing:

  • Someone that can evaluate whether there are any unintended side-effects of changing this mechanic
  • Someone that can actually test it manually in a test environment
  • Someone that can write a test case for this behavior change

How to set up and validate locally

  1. Have GitLab self-hosted in a subdomain (say gitlab.example.com)
  2. Have other applications hosted in sibling sub-domains (say my-app.example.com)
  3. Log in to GitLab
  4. Log in to your custom application that uses cookies for sessions
  5. Log out of GitLab
  6. Any other application hosted in sibling sub-domains (anything.example.com) should keep their cookie-based sessions

Close #438965

Edited by Guilherme C. Souza

Merge request reports