fix: #8142, broken site if no server-side session (#8148)

* fix: #8142, broken site if no server-side session During the `addHeader` middleware, a check is now done to see if `req.session.meta` is present. This value is only present if the user has a valid server-side session. If it is missing, then it is probably safe to assume that the server-side session was deleted (either intentionally or accidentally). In that scenario, the client-side cookie should be cleared. Also, there was an issue where the sessionRefresh flag was never cleared after a successful login, so that was fixed too. * feat: exported method to get cookie config * fix: don't clear cookie if cookie is being set * fix: socket.io tests Co-authored-by: Barış Soner Uşaklı <barisusakli@gmail.com>
2025-11-03 04:25:55 +01:00 · 2020-02-06 15:52:37 -05:00
parent 0885ec6858
commit d6e3f3f058
5 changed files with 34 additions and 20 deletions
--- a/src/webserver.js
+++ b/src/webserver.js
@@ -206,24 +206,9 @@ function configureBodyParser(app) {
 }

 function setupCookie() {
-	var ttl = meta.getSessionTTLSeconds() * 1000;
-
-	var cookie = {
-		maxAge: ttl,
-	};
-
-	if (nconf.get('cookieDomain') || meta.config.cookieDomain) {
-		cookie.domain = nconf.get('cookieDomain') || meta.config.cookieDomain;
-	}
-
-	if (nconf.get('secure')) {
-		cookie.secure = true;
-	}
-
-	var relativePath = nconf.get('relative_path');
-	if (relativePath !== '') {
-		cookie.path = relativePath;
-	}
+	const cookie = meta.configs.cookie.get();
+	const ttl = meta.getSessionTTLSeconds() * 1000;
+	cookie.maxAge = ttl;

 	return cookie;
 }