Don't try to set anonymous session cookie on CDN/file domain
11786fb1cc84
Actions

Description

Don't try to set anonymous session cookie on CDN/file domain

Summary:
Ref T2380. If an install has a CDN domain configured, but does not list it as an alternate domain (which is standard/correct, but not incredibly common, see T2380), we'll currently try to set anonymous cookies on it. These will correctly fail security rules.

Instead, don't try to set these cookies.

I missed this in testing yesterday because I have a file domain, but I also have it configured as an alternate domain, which allows cookies to be set. Generally, domain management is due for some refactoring.

Test Plan: Set file domain but not as an alternate, logged out, nuked file domain cookies, reloaded page. No error after patch.

Reviewers: btrahan, csilvers

Reviewed By: btrahan

CC: aran

Maniphest Tasks: T2380

Differential Revision: https://secure.phabricator.com/D8057

Details

Provenance

epriestley	Authored on Jan 24 2014, 12:29 PM
themackabu	Pushed on Mar 25 2025, 8:07 PM

Parents

rP2735229e3319: Modernize README

Branches

Unknown

Tags

Unknown

Event Timeline

Changes (2)

Path

Size

src/

aphront/

AphrontRequest.php

applications/

base/

controller/

PhabricatorController.php

rP11786fb1cc84

View Options

src/aphront/AphrontRequest.php