Configurable session cookie token prefix
What does this MR do and why?
Configurable session cookie token prefix
Addressing: #439945 (closed)
More context on why this is needed?
https://docs.gitlab.com/ee/architecture/blueprints/cells/iterations/cells-1.0.html#proposal
MR acceptance checklist
Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.
Important note(s)
- Changing the prefix doesn't the existing session cookies values. Only the new ones are affected. That's why in the validation steps we need to clear the cookies first.
How to set up and validate locally
1. When the config file exists and has the config
- Create the file
config/session_store.ymlwith this content
development:
session_cookie_token_prefix: "random_prefix_"- Restart the Rails app
gdk restart rails-web - Clear the cookies in the browser Right click -> Inspect -> Application (Tab) -> Cookies -> Select them all and delete them
- After you refresh the browser you should see the the new gitlab session cookie value prefixed with the configured prefix value.
2. When the config file exists but the prefix is not there
- Create the file
config/session_store.ymlwith this content
development:
something_else: "random_prefix_"- Restart the Rails app
gdk restart rails-web - Clear the cookies in the browser Right click -> Inspect -> Application (Tab) -> Cookies -> Select them all and delete them
- After you refresh the browser you should see the the new gitlab session cookie value not prefixed with anything. It should have the old 32 random characters and digits.
3. When the config doesn't exist
The same validation steps as the previous section (2)
Related to #439945 (closed)
Edited by Omar Qunsul