refactor(cookiePath): remove non-working cookiePath option

this option will currently not work => the cookie will never
be set by the server, if you use a different path other than "/"

in order for this to work we would need to introduce some kind of
"custom route prefix", that would make express serve the routes with
the custom prefix — but that kinda falls more into a reverse proxy
job territory.

So let's remove this feature for now and amend the docs on how to
correctly handle the cookies per instance via the reverse proxy.

Author: pano9000

data-docs/config.ini

@@ -30,13 +30,6 @@ trustedReverseProxy=false
 
 
 [Session]
-# Use this setting to set a custom value for the "Path" Attribute value of the session cookie.
-# This can be useful, when you have several instances running on the same domain, under different paths (e.g. by using a reverse proxy).
-# It prevents your instances from overwriting each others' cookies, allowing you to stay logged in multiple instances simultanteously.
-# E.g. if you have instances running under https://your-domain.com/triliumNext/instanceA and https://your-domain.com/triliumNext/instanceB
-# you would want to set the cookiePath value to "/triliumNext/instanceA" for your first and "/triliumNext/instanceB" for your second instance
-cookiePath=/
-
 # Use this setting to set a custom value for the "Max-Age" Attribute of the session cookie.
 # This controls how long your session will be valid, before it expires and you need to log in again, when you use the "Remember Me" option.
 # Value needs to be entered in Seconds.

src/routes/csrf_protection.ts

@@ -1,12 +1,11 @@
 import { doubleCsrf } from "csrf-csrf";
 import sessionSecret from "../services/session_secret.js";
 import { isElectron } from "../services/utils.js";
-import config from "../services/config.js";
 
 const doubleCsrfUtilities = doubleCsrf({
     getSecret: () => sessionSecret,
     cookieOptions: {
-        path: config.Session.cookiePath,
+        path: "/",
         secure: false,
         sameSite: "strict",
         httpOnly: !isElectron // set to false for Electron, see https://github.com/TriliumNext/Notes/pull/966

src/routes/session_parser.ts

@@ -11,7 +11,7 @@ const sessionParser = session({
     resave: false, // true forces the session to be saved back to the session store, even if the session was never modified during the request.
     saveUninitialized: false, // true forces a session that is "uninitialized" to be saved to the store. A session is uninitialized when it is new but not modified.
     cookie: {
-        path: config.Session.cookiePath,
+        path: "/",
         httpOnly: true,
         maxAge: config.Session.cookieMaxAge * 1000 // needs value in milliseconds
     },

src/services/config.ts

@@ -31,7 +31,6 @@ export interface TriliumConfig {
         trustedReverseProxy: boolean | string;
     };
     Session: {
-        cookiePath: string;
         cookieMaxAge: number;
     };
     Sync: {
@@ -84,9 +83,6 @@ const config: TriliumConfig = {
     },
 
     Session: {
-        cookiePath:
-            process.env.TRILIUM_SESSION_COOKIEPATH || iniConfig?.Session?.cookiePath || "/",
-
         cookieMaxAge:
             parseInt(String(process.env.TRILIUM_SESSION_COOKIEMAXAGE)) || parseInt(iniConfig?.Session?.cookieMaxAge) || 21 * 24 * 60 * 60 // 21 Days in Seconds
     },