unambiguous cookie path when destroying user session

[cgilite] / users.sh

diff --git a/users.sh b/users.sh
index 33f0062d7832d510b8db9d25d2cb1fdcd9b20bec..b784ec75983f4163702722d8a2557e25c04ac2d7 100755 (executable)
--- a/users.sh
+++ b/users.sh
@@ -226,8 +226,8 @@ user_logout(){
   # destroy cookie, destroy session
   # keep device cookie
   new_session
-  SET_COOKIE 0 session=""
-  SET_COOKIE 0 user_id=""
+  SESSION_COOKIE new
+  SET_COOKIE 0 user_id="" Path="/${_BASE#/}" SameSite=Strict HttpOnly
   REDIRECT "${_BASE}${PATH_INFO}#USER_LOGGED_OUT"
 }
 
@@ -259,7 +259,9 @@ user_init
 esac
 
 w_user_register(){
-  if [ "$USER_REGISTRATION" != true ]; then
+  if [ "$(GET user_confirm)" ]; then
+    w_user_confirm
+  elif [ "$USER_REGISTRATION" != true ]; then
     cat <<-EOF
        [div #user_register .disabled
        User Registration is disabled.