lib/api: Improve cookie handling (fixes #9208) (#9214)

lib/api/api_auth.go

@@ -85,8 +85,12 @@ func basicAuthAndSessionMiddleware(cookieName string, guiCfg config.GUIConfigura
 			return
 		}
 
-		cookie, err := r.Cookie(cookieName)
+		for _, cookie := range r.Cookies() {
-		if err == nil && cookie != nil {
+			// We iterate here since there may, historically, be multiple
+			// cookies with the same name but different path. Any "old" ones
+			// won't match an existing session and will be ignored, then
+			// later removed on logout or when timing out.
+			if cookie.Name == cookieName {
 				sessionsMut.Lock()
 				_, ok := sessions[cookie.Value]
 				sessionsMut.Unlock()
@@ -95,6 +99,7 @@ func basicAuthAndSessionMiddleware(cookieName string, guiCfg config.GUIConfigura
 					return
 				}
 			}
+		}
 
 		// Fall back to Basic auth if provided
 		if username, ok := attemptBasicAuth(r, guiCfg, ldapCfg, evLogger); ok {
@@ -198,21 +203,26 @@ func createSession(cookieName string, username string, guiCfg config.GUIConfigur
 
 func handleLogout(cookieName string) http.Handler {
 	return http.HandlerFunc(func(w http.ResponseWriter, r *http.Request) {
-		cookie, err := r.Cookie(cookieName)
+		for _, cookie := range r.Cookies() {
-		if err == nil && cookie != nil {
+			// We iterate here since there may, historically, be multiple
+			// cookies with the same name but different path. We drop them
+			// all.
+			if cookie.Name == cookieName {
 				sessionsMut.Lock()
 				delete(sessions, cookie.Value)
 				sessionsMut.Unlock()
-		}
-		// else: If there is no session cookie, that's also a successful logout in terms of user experience.
 
+				// Delete the cookie
 				http.SetCookie(w, &http.Cookie{
 					Name:   cookieName,
 					Value:  "",
 					MaxAge: -1,
-			Secure: true,
+					Secure: cookie.Secure,
-			Path:   "/",
+					Path:   cookie.Path,
 				})
+			}
+		}
+
 		w.WriteHeader(http.StatusNoContent)
 	})
 }