Merge pull request #1686 from TriliumNext/refactor_remove-cookiePath

eliandoran · web-flow · commit 9d1e99f2e888 · 2025-04-13T17:12:25.000+03:00
refactor(cookiePath): remove non-working cookiePath option
diff --git a/data-docs/config.ini b/data-docs/config.ini
@@ -30,13 +30,6 @@ trustedReverseProxy=false
 
 
 [Session]
-# Use this setting to set a custom value for the "Path" Attribute value of the session cookie.
-# This can be useful, when you have several instances running on the same domain, under different paths (e.g. by using a reverse proxy).
-# It prevents your instances from overwriting each others' cookies, allowing you to stay logged in multiple instances simultanteously.
-# E.g. if you have instances running under https://your-domain.com/triliumNext/instanceA and https://your-domain.com/triliumNext/instanceB
-# you would want to set the cookiePath value to "/triliumNext/instanceA" for your first and "/triliumNext/instanceB" for your second instance
-cookiePath=/
-
 # Use this setting to set a custom value for the "Max-Age" Attribute of the session cookie.
 # This controls how long your session will be valid, before it expires and you need to log in again, when you use the "Remember Me" option.
 # Value needs to be entered in Seconds.
diff --git a/docs/User Guide/User Guide/Installation & Setup/Server Installation/2. Reverse proxy/Nginx.md b/docs/User Guide/User Guide/Installation & Setup/Server Installation/2. Reverse proxy/Nginx.md
@@ -27,7 +27,7 @@ Configure Nginx proxy and HTTPS. The operating system here is Ubuntu 18.04.
         ssl_ciphers HIGH:!aNULL:!eNULL:!EXPORT:!CAMELLIA:!DES:!MD5:!PSK:!RC4;
         ssl_prefer_server_ciphers on;
         access_log /var/log/nginx/access.log; #check the path of access.log, if it doesn't fit your file, change it
-        
+    
         location / {
             proxy_set_header Host $host;
             proxy_set_header X-Real-IP $remote_addr;
@@ -40,10 +40,31 @@ Configure Nginx proxy and HTTPS. The operating system here is Ubuntu 18.04.
             proxy_redirect http://127.0.0.1:8080 https://trilium.example.net; # change them based on your IP, port and domain
         }
     }
+    
     # This part is for HTTPS forced
     server {
-                listen 80;
-                server_name trilium.example.net; # change to your domain
-                return 301 https://$server_name$request_uri;
+        listen 80;
+        server_name trilium.example.net; # change to your domain
+        return 301 https://$server_name$request_uri;
     }
+    ```
+4.  Alternatively if you want to serve the instance under a different path (useful e.g. if you want to serve multiple instances), update the location block like so:
+    
+    *   update the location with your desired path (make sure to not leave a trailing slash "/", if your `proxy_pass` does not end on a slash as well)
+    *   add the `proxy_cookie_path` directive with the same path: this allows you to stay logged in at multiple instances at the same time.
+    
+    ```
+        location /trilium/instance-one {
+            proxy_set_header Host $host;
+            proxy_set_header X-Real-IP $remote_addr;
+            proxy_set_header X-Forwarded-For $proxy_add_x_forwarded_for;
+            proxy_set_header X-Forwarded-Proto $scheme;
+            proxy_set_header Upgrade $http_upgrade;
+            proxy_set_header Connection "upgrade";
+            proxy_pass http://127.0.0.1:8080; # change it to a different port if non-default is used
+            proxy_cookie_path / /trilium/instance-one
+            proxy_read_timeout 90;
+            proxy_redirect http://127.0.0.1:8080 https://trilium.example.net; # change them based on your IP, port and domain
+        }
+    
     ```
diff --git a/src/public/app/doc_notes/en/User Guide/User Guide/Installation & Setup/Server Installation/2. Reverse proxy/Nginx.html b/src/public/app/doc_notes/en/User Guide/User Guide/Installation & Setup/Server Installation/2. Reverse proxy/Nginx.html
diff --git a/src/routes/csrf_protection.ts b/src/routes/csrf_protection.ts
@@ -1,12 +1,11 @@
 import { doubleCsrf } from "csrf-csrf";
 import sessionSecret from "../services/session_secret.js";
 import { isElectron } from "../services/utils.js";
-import config from "../services/config.js";
 
 const doubleCsrfUtilities = doubleCsrf({
     getSecret: () => sessionSecret,
     cookieOptions: {
-        path: config.Session.cookiePath,
+        path: "/",
         secure: false,
         sameSite: "strict",
         httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966
diff --git a/src/routes/session_parser.ts b/src/routes/session_parser.ts
@@ -11,7 +11,7 @@ const sessionParser = session({
     resave: false, // true forces the session to be saved back to the session store, even if the session was never modified during the request.
     saveUninitialized: false, // true forces a session that is "uninitialized" to be saved to the store. A session is uninitialized when it is new but not modified.
     cookie: {
-        path: config.Session.cookiePath,
+        path: "/",
         httpOnly: true,
         maxAge: config.Session.cookieMaxAge * 1000 // needs value in milliseconds
     },
diff --git a/src/services/config.ts b/src/services/config.ts
@@ -31,7 +31,6 @@ export interface TriliumConfig {
         trustedReverseProxy: boolean | string;
     };
     Session: {
-        cookiePath: string;
         cookieMaxAge: number;
     };
     Sync: {
@@ -84,9 +83,6 @@ const config: TriliumConfig = {
     },
 
     Session: {
-        cookiePath:
-            process.env.TRILIUM_SESSION_COOKIEPATH || iniConfig?.Session?.cookiePath || "/",
-
         cookieMaxAge:
             parseInt(String(process.env.TRILIUM_SESSION_COOKIEMAXAGE)) || parseInt(iniConfig?.Session?.cookieMaxAge) || 21 * 24 * 60 * 60 // 21 Days in Seconds
     },
