From 97a38372151e43ac05b52af7766c26e9f6b4d4fe Mon Sep 17 00:00:00 2001 From: Beowulf Date: Thu, 19 Mar 2026 04:34:27 +0100 Subject: [PATCH] branding!: make cookies brand independent (#10645) Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10645 Reviewed-by: Michael Kriese Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: Beowulf Co-committed-by: Beowulf --- modules/setting/security.go | 2 +- modules/setting/session.go | 4 ++-- release-notes/10645.md | 1 + services/context/base_test.go | 2 +- services/context/context_cookie.go | 2 +- 5 files changed, 6 insertions(+), 5 deletions(-) create mode 100644 release-notes/10645.md diff --git a/modules/setting/security.go b/modules/setting/security.go index 347912f248..e00a6af0ee 100644 --- a/modules/setting/security.go +++ b/modules/setting/security.go @@ -114,7 +114,7 @@ func loadSecurityFrom(rootCfg ConfigProvider) { GlobalTwoFactorRequirement = NewTwoFactorRequirementType(sec.Key("GLOBAL_TWO_FACTOR_REQUIREMENT").String()) - CookieRememberName = sec.Key("COOKIE_REMEMBER_NAME").MustString("gitea_incredible") + CookieRememberName = sec.Key("COOKIE_REMEMBER_NAME").MustString("persistent") ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER") ReverseProxyAuthEmail = sec.Key("REVERSE_PROXY_AUTHENTICATION_EMAIL").MustString("X-WEBAUTH-EMAIL") diff --git a/modules/setting/session.go b/modules/setting/session.go index e9ff9bf0bc..1d88ad334c 100644 --- a/modules/setting/session.go +++ b/modules/setting/session.go @@ -34,7 +34,7 @@ var SessionConfig = struct { // SameSite declares if your cookie should be restricted to a first-party or same-site context. Valid strings are "none", "lax", "strict". Default is "lax" SameSite http.SameSite }{ - CookieName: "i_like_gitea", + CookieName: "session", Gclifetime: 86400, Maxlifetime: 86400, SameSite: http.SameSiteLaxMode, @@ -48,7 +48,7 @@ func loadSessionFrom(rootCfg ConfigProvider) { if SessionConfig.Provider == "file" && !filepath.IsAbs(SessionConfig.ProviderConfig) { SessionConfig.ProviderConfig = path.Join(AppWorkPath, SessionConfig.ProviderConfig) } - SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("i_like_gitea") + SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("session") SessionConfig.CookiePath = AppSubURL if SessionConfig.CookiePath == "" { SessionConfig.CookiePath = "/" diff --git a/release-notes/10645.md b/release-notes/10645.md new file mode 100644 index 0000000000..61686efaa2 --- /dev/null +++ b/release-notes/10645.md @@ -0,0 +1 @@ +Make cookie names brand independent.
Attention: All users need to re-login, if you haven't manually set a cookie name in the settings. This can be prevented by changing the [remember me cookie](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#security-security:~:text=COOKIE_REMEMBER_NAME) back to `gitea_incredible` diff --git a/services/context/base_test.go b/services/context/base_test.go index 9e058d8f24..e199f47fc4 100644 --- a/services/context/base_test.go +++ b/services/context/base_test.go @@ -34,7 +34,7 @@ func TestRedirect(t *testing.T) { resp.Header().Add("Set-Cookie", (&http.Cookie{Name: setting.SessionConfig.CookieName, Value: "dummy"}).String()) b.Redirect(c.url) cleanup() - has := resp.Header().Get("Set-Cookie") == "i_like_gitea=dummy" + has := resp.Header().Get("Set-Cookie") == "session=dummy" assert.Equal(t, c.keep, has, "url = %q", c.url) assert.Equal(t, http.StatusSeeOther, resp.Code) } diff --git a/services/context/context_cookie.go b/services/context/context_cookie.go index 08ef84b5eb..4ed2b80439 100644 --- a/services/context/context_cookie.go +++ b/services/context/context_cookie.go @@ -14,7 +14,7 @@ import ( "forgejo.org/modules/web/middleware" ) -const CookieNameFlash = "gitea_flash" +const CookieNameFlash = "flash" func removeSessionCookieHeader(w http.ResponseWriter) { cookies := w.Header()["Set-Cookie"]