Add Dangerfile reminder when setting cookies server-side (!162348) · Merge requests · GitLab.org / GitLab

Andrew Evans requested to merge 477321-atevans-danger-cookies into master Aug 09, 2024

What does this MR do and why?

If a developer sets a cookie from Rails with a :domain attribute, they must remember to un-set this cookie when a user signs out. This can be hard to remember to do.

This change adds a Danger bot reminder whenever setting cookies is detected in application code, and also documentation of development guidelines when working with cookies.

Primary issue: #477321

Previous discussion in: !156213 (comment 2012279812)

MR acceptance checklist

Please evaluate this MR against the MR acceptance checklist. It helps you analyze changes to reduce risks in quality, performance, reliability, security, and maintainability.

Screenshots or screen recordings

Screenshots are required for UI changes, and strongly recommended for all other merge requests.

Before	After

How to set up and validate locally

Check out a new branch off of this one
Add this line of code to any controller action: cookies[:favorite_animal] = 'opossum'
Commit the change
run rails danger_local to run Danger locally
You should see the message It looks like you are setting a server-side cookie. Please note... in the Markdown: section of the output from this command

Related to #477321

Add Dangerfile reminder when setting cookies server-side

What does this MR do and why?

MR acceptance checklist

Screenshots or screen recordings

How to set up and validate locally

Merge request reports