WebAPI: Append port to session cookie name

PR #23228. Closes #21651.
2025-12-10 00:46:48 -06:00 · 2025-09-18 22:29:46 -07:00 · 2025-09-18 22:29:46 -07:00 · 753fb80e9b
commit 753fb80e9b
parent c075097acd
3 changed files with 2 additions and 39 deletions
--- a/src/base/preferences.cpp
+++ b/src/base/preferences.cpp
@ -924,19 +924,6 @@ void Preferences::setWebUISessionTimeout(const int timeout)
    setValue(u"Preferences/WebUI/SessionTimeout"_s, timeout);
 }

-QString Preferences::getWebAPISessionCookieName() const
-{
-    return value<QString>(u"WebAPI/SessionCookieName"_s);
-}
-
-void Preferences::setWebAPISessionCookieName(const QString &cookieName)
-{
-    if (cookieName == getWebAPISessionCookieName())
-        return;
-
-    setValue(u"WebAPI/SessionCookieName"_s, cookieName);
-}
-
 bool Preferences::isWebUIClickjackingProtectionEnabled() const
 {
    return value(u"Preferences/WebUI/ClickjackingProtection"_s, true);
--- a/src/base/preferences.h
+++ b/src/base/preferences.h
@ -215,8 +215,6 @@ public:
    void setWebUIBanDuration(std::chrono::seconds duration);
    int getWebUISessionTimeout() const;
    void setWebUISessionTimeout(int timeout);
-    QString getWebAPISessionCookieName() const;
-    void setWebAPISessionCookieName(const QString &cookieName);

    // WebUI security
    bool isWebUIClickjackingProtectionEnabled() const;
--- a/src/webui/webapplication.cpp
+++ b/src/webui/webapplication.cpp
@ -71,7 +71,7 @@
 #include "clientdatastorage.h"

 const int MAX_ALLOWED_FILESIZE = 10 * 1024 * 1024;
-const QString DEFAULT_SESSION_COOKIE_NAME = u"SID"_s;
+const QString SESSION_COOKIE_NAME_PREFIX = u"QBT_SID_"_s;

 const QString WWW_FOLDER = u":/www"_s;
 const QString PUBLIC_FOLDER = u"/public"_s;
@ -141,18 +141,6 @@ namespace

        return languages.join(u'\n');
    }
-
-    bool isValidCookieName(const QString &cookieName)
-    {
-        if (cookieName.isEmpty() || (cookieName.size() > 128))
-            return false;
-
-        const QRegularExpression invalidNameRegex {u"[^a-zA-Z0-9_\\-]"_s};
-        if (invalidNameRegex.match(cookieName).hasMatch())
-            return false;
-
-        return true;
-    }
 }

 WebApplication::WebApplication(IApplication *app, QObject *parent)
@ -166,17 +154,6 @@ WebApplication::WebApplication(IApplication *app, QObject *parent)

    configure();
    connect(Preferences::instance(), &Preferences::changed, this, &WebApplication::configure);
-
-    m_sessionCookieName = Preferences::instance()->getWebAPISessionCookieName();
-    if (!isValidCookieName(m_sessionCookieName))
-    {
-        if (!m_sessionCookieName.isEmpty())
-        {
-            LogMsg(tr("Unacceptable session cookie name is specified: '%1'. Default one is used.")
-                   .arg(m_sessionCookieName), Log::WARNING);
-        }
-        m_sessionCookieName = DEFAULT_SESSION_COOKIE_NAME;
-    }
 }

 WebApplication::~WebApplication()
@ -466,6 +443,7 @@ void WebApplication::configure()
    m_isAuthSubnetWhitelistEnabled = pref->isWebUIAuthSubnetWhitelistEnabled();
    m_authSubnetWhitelist = pref->getWebUIAuthSubnetWhitelist();
    m_sessionTimeout = pref->getWebUISessionTimeout();
+    m_sessionCookieName = SESSION_COOKIE_NAME_PREFIX + QString::number(pref->getWebUIPort());

    m_domainList = pref->getServerDomains().split(u';', Qt::SkipEmptyParts);
    std::for_each(m_domainList.begin(), m_domainList.end(), [](QString &entry) { entry = entry.trimmed(); });