Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cookie::queue(...) does not take domain into account #53159

Open
JonathanGawrych opened this issue Oct 14, 2024 · 3 comments
Open

Cookie::queue(...) does not take domain into account #53159

JonathanGawrych opened this issue Oct 14, 2024 · 3 comments

Comments

@JonathanGawrych
Copy link
Contributor

Laravel Version

11.24.0

PHP Version

8.2.19

Database Driver & Version

No response

Description

When setting two cookies using Cookie::queue(...), with the same name and path, but different domains, the two cookies are not sent to the client, but the latter one overwrites the prior. It works when calling response()->cookie(...) directly, just not when the cookie is queue.

It appears that Symphony's ResponseHeaderBag::setCookie() handles it by making one level of the cookie map, domain specific:
https://github.com/symfony/http-foundation/blob/3d7bbf071b25f802f7d55524d408bed414ea71e2/ResponseHeaderBag.php#L162

However, CookieJar doesn't, only caring about name and path:

$this->queued[$cookie->getName()][$cookie->getPath()] = $cookie;

You may be asking why we are setting cookies on two different domains? The answer is that we are transitioning from using CORS to an API server, to instead have each subdomain have separate logins. During this transition we need to set cookies on both the subdomain and domain, and some of our cookies are queued inside services, rather created directly in the controller next to the response. Thanks.

Steps To Reproduce

Ensure the AddQueuedCookiesToResponse middleware is being used.

Add this code to any controller

// Logout request made on www.example.com
Cookie::queue(Cookie::forget('auth_cookie')); // lost
Cookie::queue(Cookie::forget('auth_cookie', domain: '.example.com')); // sent

View the response and see there is only one cookie set.

Copy link

Thank you for reporting this issue!

As Laravel is an open source project, we rely on the community to help us diagnose and fix issues as it is not possible to research and fix every issue reported to us via GitHub.

If possible, please make a pull request fixing the issue you have described, along with corresponding tests. All pull requests are promptly reviewed by the Laravel team.

Thank you!

@Sajid-al-islam
Copy link

created a PR but, but as queue and unqueue is part of the interface / contract it can't be changed on a patch release

@JonathanGawrych
Copy link
Contributor Author

Yeah, I was working on it myself and found that.

Also I found that getPath() is not null, but domain might be null, and null is a valid value for domain. Thus we can't use null to mean unqueue on "any domain". I'm currently looking into defaulting to false, so you can pass in null explicitly.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

No branches or pull requests

4 participants
@crynobone @JonathanGawrych @Sajid-al-islam and others