From: Paul Hänsch <paul@plutz.net>
Date: Wed, 29 Sep 2021 10:34:51 +0000 (+0200)
Subject: unambiguous cookie path when destroying user session
X-Git-Url: https://git.plutz.net/?a=commitdiff_plain;h=84a16dd6c14e0a8f64b94dfd86e58746661f2ab6;p=cgilite

unambiguous cookie path when destroying user session
---

diff --git a/users.sh b/users.sh
index 1959e9d..b784ec7 100755
--- a/users.sh
+++ b/users.sh
@@ -226,8 +226,8 @@ user_logout(){
   # destroy cookie, destroy session
   # keep device cookie
   new_session
-  SET_COOKIE 0 session=""
-  SET_COOKIE 0 user_id=""
+  SESSION_COOKIE new
+  SET_COOKIE 0 user_id="" Path="/${_BASE#/}" SameSite=Strict HttpOnly
   REDIRECT "${_BASE}${PATH_INFO}#USER_LOGGED_OUT"
 }