branding!: make cookies brand independent (#10645)

Reviewed-on: https://codeberg.org/forgejo/forgejo/pulls/10645 Reviewed-by: Michael Kriese <michael.kriese@gmx.de> Reviewed-by: 0ko <0ko@noreply.codeberg.org> Co-authored-by: Beowulf <beowulf@beocode.eu> Co-committed-by: Beowulf <beowulf@beocode.eu>
2026-05-12 22:10:25 +00:00 · 2026-03-19 04:34:27 +01:00 · 2026-03-19 04:34:27 +01:00 · 97a3837215
commit 97a3837215
parent d2db9b2691
5 changed files with 6 additions and 5 deletions
--- a/modules/setting/security.go
+++ b/modules/setting/security.go
@ -114,7 +114,7 @@ func loadSecurityFrom(rootCfg ConfigProvider) {

 	GlobalTwoFactorRequirement = NewTwoFactorRequirementType(sec.Key("GLOBAL_TWO_FACTOR_REQUIREMENT").String())

-	CookieRememberName = sec.Key("COOKIE_REMEMBER_NAME").MustString("gitea_incredible")
+	CookieRememberName = sec.Key("COOKIE_REMEMBER_NAME").MustString("persistent")

 	ReverseProxyAuthUser = sec.Key("REVERSE_PROXY_AUTHENTICATION_USER").MustString("X-WEBAUTH-USER")
 	ReverseProxyAuthEmail = sec.Key("REVERSE_PROXY_AUTHENTICATION_EMAIL").MustString("X-WEBAUTH-EMAIL")
--- a/modules/setting/session.go
+++ b/modules/setting/session.go
@ -34,7 +34,7 @@ var SessionConfig = struct {
 	// SameSite declares if your cookie should be restricted to a first-party or same-site context. Valid strings are "none", "lax", "strict". Default is "lax"
 	SameSite http.SameSite
 }{
-	CookieName:  "i_like_gitea",
+	CookieName:  "session",
 	Gclifetime:  86400,
 	Maxlifetime: 86400,
 	SameSite:    http.SameSiteLaxMode,
@ -48,7 +48,7 @@ func loadSessionFrom(rootCfg ConfigProvider) {
 	if SessionConfig.Provider == "file" && !filepath.IsAbs(SessionConfig.ProviderConfig) {
 		SessionConfig.ProviderConfig = path.Join(AppWorkPath, SessionConfig.ProviderConfig)
 	}
-	SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("i_like_gitea")
+	SessionConfig.CookieName = sec.Key("COOKIE_NAME").MustString("session")
 	SessionConfig.CookiePath = AppSubURL
 	if SessionConfig.CookiePath == "" {
 		SessionConfig.CookiePath = "/"
--- a/release-notes/10645.md
+++ b/release-notes/10645.md
@ -0,0 +1 @@
+Make cookie names brand independent.<br>Attention: All users need to re-login, if you haven't manually set a cookie name in the settings. This can be prevented by changing the [remember me cookie](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#security-security:~:text=COOKIE_REMEMBER_NAME) back to `gitea_incredible`
--- a/services/context/base_test.go
+++ b/services/context/base_test.go
@ -34,7 +34,7 @@ func TestRedirect(t *testing.T) {
 		resp.Header().Add("Set-Cookie", (&http.Cookie{Name: setting.SessionConfig.CookieName, Value: "dummy"}).String())
 		b.Redirect(c.url)
 		cleanup()
-		has := resp.Header().Get("Set-Cookie") == "i_like_gitea=dummy"
+		has := resp.Header().Get("Set-Cookie") == "session=dummy"
 		assert.Equal(t, c.keep, has, "url = %q", c.url)
 		assert.Equal(t, http.StatusSeeOther, resp.Code)
 	}
--- a/services/context/context_cookie.go
+++ b/services/context/context_cookie.go
@ -14,7 +14,7 @@ import (
 	"forgejo.org/modules/web/middleware"
 )

-const CookieNameFlash = "gitea_flash"
+const CookieNameFlash = "flash"

 func removeSessionCookieHeader(w http.ResponseWriter) {
 	cookies := w.Header()["Set-Cookie"]
				`@ -0,0 +1 @@`
				Make cookie names brand independent.<br>Attention: All users need to re-login, if you haven't manually set a cookie name in the settings. This can be prevented by changing the [remember me cookie](https://forgejo.org/docs/latest/admin/config-cheat-sheet/#security-security:~:text=COOKIE_REMEMBER_NAME) back to `gitea_incredible`