From 3fcf865a4bef6f73149984090304f3d64af2a0e1 Mon Sep 17 00:00:00 2001
From: Giteabot <teabot@gitea.io>
Date: Tue, 11 Jun 2024 13:57:51 +0800
Subject: [PATCH] Delete legacy cookie before setting new cookie (#31306)
 (#31317)

Backport #31306 by wxiaoguang

Co-authored-by: wxiaoguang <wxiaoguang@gmail.com>
---
 modules/web/middleware/cookie.go | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/modules/web/middleware/cookie.go b/modules/web/middleware/cookie.go
index ec6b06f993..f2d25f5b1c 100644
--- a/modules/web/middleware/cookie.go
+++ b/modules/web/middleware/cookie.go
@@ -35,6 +35,10 @@ func GetSiteCookie(req *http.Request, name string) string {
 
 // SetSiteCookie returns given cookie value from request header.
 func SetSiteCookie(resp http.ResponseWriter, name, value string, maxAge int) {
+	// Previous versions would use a cookie path with a trailing /.
+	// These are more specific than cookies without a trailing /, so
+	// we need to delete these if they exist.
+	deleteLegacySiteCookie(resp, name)
 	cookie := &http.Cookie{
 		Name:     name,
 		Value:    url.QueryEscape(value),
@@ -46,10 +50,6 @@ func SetSiteCookie(resp http.ResponseWriter, name, value string, maxAge int) {
 		SameSite: setting.SessionConfig.SameSite,
 	}
 	resp.Header().Add("Set-Cookie", cookie.String())
-	// Previous versions would use a cookie path with a trailing /.
-	// These are more specific than cookies without a trailing /, so
-	// we need to delete these if they exist.
-	deleteLegacySiteCookie(resp, name)
 }
 
 // deleteLegacySiteCookie deletes the cookie with the given name at the cookie