Merge pull request #5859 from appwrite/feat-x-domain-cookie-2

feat: X domain console cookie
2026-05-24 09:28:40 +00:00 · 2023-07-22 16:33:00 +03:00 · 2023-07-22 16:33:00 +03:00 · c132766c63
commit c132766c63
parent ffa823e455 80aa2374d1
5 changed files with 27 additions and 7 deletions
--- a/.env
+++ b/.env
@ -4,6 +4,7 @@ _APP_WORKER_PER_CORE=6
 _APP_CONSOLE_WHITELIST_ROOT=disabled
 _APP_CONSOLE_WHITELIST_EMAILS=
 _APP_CONSOLE_WHITELIST_IPS=
+_APP_CONSOLE_ROOT_SESSION=disabled
 _APP_SYSTEM_EMAIL_NAME=Appwrite
 _APP_SYSTEM_EMAIL_ADDRESS=team@appwrite.io
 _APP_SYSTEM_SECURITY_EMAIL_ADDRESS=security@appwrite.io
--- a/1
+++ b/1
@ -51,6 +51,7 @@ ENV _APP_SERVER=swoole \
    _APP_CONSOLE_WHITELIST_ROOT=enabled \
    _APP_CONSOLE_WHITELIST_EMAILS= \
    _APP_CONSOLE_WHITELIST_IPS= \
+    _APP_CONSOLE_ROOT_SESSION= \
    _APP_SYSTEM_EMAIL_NAME= \
    _APP_SYSTEM_EMAIL_ADDRESS= \
    _APP_SYSTEM_RESPONSE_FORMAT= \
--- a/app/config/variables.php
+++ b/app/config/variables.php
@ -105,6 +105,15 @@ return [
                'question' => '',
                'filter' => ''
            ],
+            [
+                'name' => '_APP_CONSOLE_ROOT_SESSION',
+                'description' => 'Domain policy for the Appwrite console session cookie. By default, set to \'disabled\', meaning the session cookie will be set to the domain of the Appwrite console (e.g. cloud.appwrite.io). When set to \'enabled\', the session cookie will be set to the registerable domain of the Appwrite server (e.g. appwrite.io).',
+                'introduction' => '',
+                'default' => 'disabled',
+                'required' => false,
+                'question' => '',
+                'filter' => ''
+            ],
            [
                'name' => '_APP_SYSTEM_EMAIL_NAME',
                'description' => 'This is the sender name value that will appear on email messages sent to developers from the Appwrite console. The default value is: \'Appwrite\'. You can use url encoded strings for spaces and special chars.',
--- a/app/controllers/general.php
+++ b/app/controllers/general.php
@ -175,13 +175,21 @@ App::init()
            $endDomain->getRegisterable() !== ''
        );

-        Config::setParam('cookieDomain', (
-            $request->getHostname() === 'localhost' ||
-            $request->getHostname() === 'localhost:' . $request->getPort() ||
-            (\filter_var($request->getHostname(), FILTER_VALIDATE_IP) !== false)
-        )
-            ? null
-            : '.' . $request->getHostname());
+        $isLocalHost = $request->getHostname() === 'localhost' || $request->getHostname() === 'localhost:' . $request->getPort();
+        $isIpAddress = filter_var($request->getHostname(), FILTER_VALIDATE_IP) !== false;
+
+        $isConsoleProject = $project->getAttribute('$id', '') === 'console';
+        $isConsoleRootSession = App::getEnv('_APP_CONSOLE_ROOT_SESSION', 'disabled') === 'enabled';
+
+        Config::setParam(
+            'cookieDomain',
+            $isLocalHost || $isIpAddress
+                ? null
+                : ($isConsoleProject && $isConsoleRootSession
+                    ? '.' . $selfDomain->getRegisterable()
+                    : '.' . $request->getHostname()
+                )
+        );

        /*
        * Response format
--- a/docker-compose.yml
+++ b/docker-compose.yml
@ -100,6 +100,7 @@ services:
      - _APP_CONSOLE_WHITELIST_ROOT
      - _APP_CONSOLE_WHITELIST_EMAILS
      - _APP_CONSOLE_WHITELIST_IPS
+      - _APP_CONSOLE_ROOT_SESSION
      - _APP_SYSTEM_EMAIL_NAME
      - _APP_SYSTEM_EMAIL_ADDRESS
      - _APP_SYSTEM_SECURITY_EMAIL_ADDRESS