Merge branch '31644-make-cookie-sessions-unique' into 'master'

Update session cookie key name to be unique to instance in development Closes #31644 See merge request !11839
2017-06-01 14:59:35 +00:00 · 2017-06-01 14:59:35 +00:00 · 6f14a3ea6b
parent 0218a0bd23 0087f93989
commit 6f14a3ea6b
2 changed files with 11 additions and 1 deletions
--- a/changelogs/unreleased/31644-make-cookie-sessions-unique.yml
+++ b/changelogs/unreleased/31644-make-cookie-sessions-unique.yml
@ -0,0 +1,4 @@
+---
+title: Update session cookie key name to be unique to instance in development
+merge_request:
+author:
--- a/config/initializers/session_store.rb
+++ b/config/initializers/session_store.rb
@ -10,6 +10,12 @@ rescue
  Settings.gitlab['session_expire_delay'] ||= 10080
 end

+cookie_key = if Rails.env.development?
+               "_gitlab_session_#{Digest::SHA256.hexdigest(Rails.root.to_s)}"
+             else
+               "_gitlab_session"
+             end
+
 if Rails.env.test?
  Gitlab::Application.config.session_store :cookie_store, key: "_gitlab_session"
 else
@ -19,7 +25,7 @@ else
  Gitlab::Application.config.session_store(
    :redis_store, # Using the cookie_store would enable session replay attacks.
    servers: redis_config,
-    key: '_gitlab_session',
+    key: cookie_key,
    secure: Gitlab.config.gitlab.https,
    httponly: true,
    expires_in: Settings.gitlab['session_expire_delay'] * 60,