Fix safari cookie session bug (#24772)

Partically backport #24330 Related: #24176 Maybe fix #24770
2025-08-12 20:48:20 +00:00 · 2023-05-18 09:10:23 +08:00
parent 1bad05da3d
commit 64cc691b7f
2 changed files with 44 additions and 0 deletions
--- a/modules/context/context.go
+++ b/modules/context/context.go
@@ -473,6 +473,17 @@ func (ctx *Context) JSON(status int, content interface{}) {
 	}
 }

+func removeSessionCookieHeader(w http.ResponseWriter) {
+	cookies := w.Header()["Set-Cookie"]
+	w.Header().Del("Set-Cookie")
+	for _, cookie := range cookies {
+		if strings.HasPrefix(cookie, setting.SessionConfig.CookieName+"=") {
+			continue
+		}
+		w.Header().Add("Set-Cookie", cookie)
+	}
+}
+
 // Redirect redirects the request
 func (ctx *Context) Redirect(location string, status ...int) {
 	code := http.StatusSeeOther
@@ -480,6 +491,15 @@ func (ctx *Context) Redirect(location string, status ...int) {
 		code = status[0]
 	}

+	if strings.Contains(location, "://") || strings.HasPrefix(location, "//") {
+		// Some browsers (Safari) have buggy behavior for Cookie + Cache + External Redirection, eg: /my-path => https://other/path
+		// 1. the first request to "/my-path" contains cookie
+		// 2. some time later, the request to "/my-path" doesn't contain cookie (caused by Prevent web tracking)
+		// 3. Gitea's Sessioner doesn't see the session cookie, so it generates a new session id, and returns it to browser
+		// 4. then the browser accepts the empty session, then the user is logged out
+		// So in this case, we should remove the session cookie from the response header
+		removeSessionCookieHeader(ctx.Resp)
+	}
 	http.Redirect(ctx.Resp, ctx.Req, location, code)
 }