Skip to content

Sign-out deletes only GitLab site data, not all subdomains

Andrew Evans requested to merge atevans/fix-signout-del-sibling-cookies into master

What does this MR do and why?

Sign-out deletes only GitLab site data, not all subdomains

Fix sign out process to not delete cookies from all 'sibling' sub-domains through loop-deletting available cookies instead of using Clear-Site-Data header that seems to delete cookies from the entire domain.

Originally from community contribution MR !142740

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before After
without_feature with_feature

How to set up and validate locally

  1. Ensure your local GDK is using NGinx and a hostname
  2. Change your hostname to a subdomain like subdomain.gdk.test . We will also need a second subdomain like othersubdomain.gdk.test ; make sure these are both present in /etc/hosts
  3. gdk reconfigure and gdk restart to use the subdomain for your hostname
  4. Set up othersubdomain in Nginx: add the following block to gitlab-development-kit/nginx/conf/nginx.conf after the last server {} block in the file: 
    server {
 listen othersubdomain.gdk.test:3444;

 location / {
   add_header Set-Cookie "tst_cook=capybara; Domain=othersubdomain.gdk.test" always;

   root ../gitlab/public/;
   index 422.html;
 }
}
  5. (optional) gdk doctor - ensure this does not output the message nginx/conf/nginx.conf is not valid!
  6. gdk restart nginx
  7. Visit http://othersubdomain.gdk.test:3444 in your browser.
    • You should see the 422 error page.
    • Check the cookies for this page in your browser's Web Inspector. You should see the tst_cook cookie with "Domain" listed as othersubdomain.gdk.test
  8. Visit GitLab in your browser at https://subdomain.gdk.test:3443 (or whatever subdomain and port you have chosen)
  9. Log in, if needed
  10. Log out
  11. Reload the web inspector for the page othersubdomain.gdk.test - the cookie for that subdomain should still be present
Edited by Andrew Evans

Merge request reports