unambiguous cookie path when destroying user session

author Paul Hänsch <paul@plutz.net>

Wed, 29 Sep 2021 10:34:51 +0000 (12:34 +0200)

committer Paul Hänsch <paul@plutz.net>

Wed, 29 Sep 2021 10:34:51 +0000 (12:34 +0200)
author Paul Hänsch <paul@plutz.net>
Wed, 29 Sep 2021 10:34:51 +0000 (12:34 +0200)
committer Paul Hänsch <paul@plutz.net>
Wed, 29 Sep 2021 10:34:51 +0000 (12:34 +0200)
diff --git a/users.sh b/users.sh

index 1959e9de4b757084fad3d850b1b7b771517cb3c3..b784ec75983f4163702722d8a2557e25c04ac2d7 100755 (executable)
--- a/users.sh
+++ b/users.sh
@@ -226,8 +226,8 @@ user_logout(){
    # destroy cookie, destroy session
    # keep device cookie
    new_session
-  SET_COOKIE 0 session=""
-  SET_COOKIE 0 user_id=""
+  SESSION_COOKIE new
+  SET_COOKIE 0 user_id="" Path="/${_BASE#/}" SameSite=Strict HttpOnly
    REDIRECT "${_BASE}${PATH_INFO}#USER_LOGGED_OUT"
  }
author	Paul Hänsch <paul@plutz.net>
	Wed, 29 Sep 2021 10:34:51 +0000 (12:34 +0200)
committer	Paul Hänsch <paul@plutz.net>
	Wed, 29 Sep 2021 10:34:51 +0000 (12:34 +0200)