From bd6c295ec9f0886e63c9888b02d5263a9de429ea Mon Sep 17 00:00:00 2001
From: Cam Saul <cammsaul@gmail.com>
Date: Tue, 9 Apr 2019 20:13:34 -0700
Subject: [PATCH] Always include Path=/ directive in Set-Cookie; fix Google
 Auth :wrench:

---
 src/metabase/handler.clj            | 1 -
 src/metabase/middleware/session.clj | 5 +++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/src/metabase/handler.clj b/src/metabase/handler.clj
index 6d81b9f0fb6..d82c3ded88d 100644
--- a/src/metabase/handler.clj
+++ b/src/metabase/handler.clj
@@ -37,7 +37,6 @@
    mw.auth/wrap-api-key                    ; looks for a Metabase API Key on the request and assocs as :metabase-api-key
    mw.misc/maybe-set-site-url              ; set the value of `site-url` if it hasn't been set yet
    ;; Disabled for now because some things like CSV download buttons don't work with this on.
-   #_mw.json/check-application-type-headers  ; Reject non-GET requests without Content-Type: application/json headers, we don't support them
    mw.misc/bind-user-locale                ; Binds *locale* for i18n
    wrap-cookies                            ; Parses cookies in the request map and assocs as :cookies
    mw.misc/add-content-type                ; Adds a Content-Type header for any response that doesn't already have one
diff --git a/src/metabase/middleware/session.clj b/src/metabase/middleware/session.clj
index b49e2f814aa..b45d0d57d26 100644
--- a/src/metabase/middleware/session.clj
+++ b/src/metabase/middleware/session.clj
@@ -32,7 +32,7 @@
 (def ^:private ^String metabase-session-header        "x-metabase-session")
 
 (defn- clear-cookie [response cookie-name]
-  (resp/set-cookie response cookie-name nil {:expires (DateTime. 0)}))
+  (resp/set-cookie response cookie-name nil {:expires (DateTime. 0), :path "/"}))
 
 (defn- wrap-body-if-needed
   "You can't add a cookie (by setting the `:cookies` key of a response) if the response is an unwrapped JSON response;
@@ -77,13 +77,14 @@
   (-> response
       wrap-body-if-needed
       (clear-cookie metabase-legacy-session-cookie)
-      ;; See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie
+      ;; See also https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie and `ring.middleware.cookies`
       (resp/set-cookie
        metabase-session-cookie
        (str session-id)
        (merge
         {:same-site :lax
          :http-only true
+         :path      "/"
          ;; max-session age-is in minutes; Max-Age= directive should be in seconds
          :max-age   (* 60 (config/config-int :max-session-age))}
         ;; If the authentication request request was made over HTTPS (hopefully always except for local dev instances)
-- 
GitLab