Skip to content

Fix: Cookie deletion in Admin Interface#1091

Merged
jelmer merged 3 commits intoisso-comments:masterfrom
GeneMarks:patch-1
Mar 7, 2026
Merged

Fix: Cookie deletion in Admin Interface#1091
jelmer merged 3 commits intoisso-comments:masterfrom
GeneMarks:patch-1

Conversation

@GeneMarks
Copy link
Contributor

@GeneMarks GeneMarks commented Mar 4, 2026
edited
Loading

Checklist

  • All new and existing tests are passing
  • (If adding features:) I have added tests to cover my changes (None added)
  • (If docs changes needed:) I have updated the documentation accordingly. (Not needed)
  • I have added an entry to CHANGES.rst because this is a user-facing change or an important bugfix
  • I have written proper commit message(s)

What changes does this Pull Request introduce?

This PR removes the Domain attribute from the logic that targets the admin-session cookie for deletion/expiration.

Why is this necessary?

Currently, the 'Log Out' button on the admin interface does nothing when clicked in Firefox or Chrome with isso:latest (b8d865c497e396b927a9f85717f37ea6b3db66b18e0fd055b2786a4dc601d53c).

The admin-session cookie is created with a HostOnly cookie flag because the login logic does not specify a value for the Domain attribute.

Because the cookie is flagged as a HostOnly cookie, log_out() should refrain from attempting to target the cookie using a specified domain as well. In doing so, the line:

document.cookie = "admin-session=; Max-Age=0; domain=" + window.location.hostname + "; path=/";

attempts to target a different cookie that does not exist.

To properly target the HostOnly cookie, the Domain attribute should simply be omitted.

Please refer to the login logic and cookie creation here for reference:

isso/isso/views/comments.py

Lines 1439 to 1453 in bd68914

def login(self, env, req):
if not self.isso.conf.getboolean("admin", "enabled"):
isso_host_script = self.isso.conf.get("server", "public-endpoint") or local.host
return render_template("disabled.html", isso_host_script=isso_host_script)
data = req.form
password = self.isso.conf.get("admin", "password")
if data["password"] and data["password"] == password:
response = redirect(re.sub(r"/login/$", "/admin/", get_current_url(env, strip_querystring=True)))
cookie = self.create_cookie(value=self.isso.sign({"logged": True}), expires=datetime.now() + timedelta(1))
response.headers.add("Set-Cookie", cookie("admin-session"))
response.headers.add("X-Set-Cookie", cookie("isso-admin-session"))
return response
else:
isso_host_script = self.isso.conf.get("server", "public-endpoint") or local.host
return render_template("login.html", isso_host_script=isso_host_script)

GeneMarks added 3 commits March 4, 2026 08:56
@GeneMarks
js: admin.js: Fix cookie deletion in log_out()
4cfc89b 
Previously, the 'Log Out' button on the admin interface did
nothing when clicked in Firefox or Chrome.

Because 'admin-session' is created as a HostOnly cookie with no
domain specified, log_out() needs to refrain from attempting to
target the cookie using a domain as well.

To properly target the HostOnly cookie, the 'domain' attribute
should simply be omitted.

Refer to the login logic and cookie creation here:
- https://github.com/isso-comments/isso/blob/bd689143c3b9bd0fea83382bf4c1a1993586520c/isso/views/comments.py#L1439
@GeneMarks
Add 'Log Out' button fix to Bugfixes & Improvements
84c1951
@GeneMarks
js: admin.js: Add missing semicolon
0de0408
@jelmer jelmer requested a review from Copilot March 7, 2026 21:48
@jelmer jelmer merged commit 520e6ee into isso-comments:master Mar 7, 2026
21 checks passed
Copilot AI reviewed Mar 7, 2026
View reviewed changes
Copy link

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Fixes admin logout reliability in modern browsers by adjusting how the admin-session cookie is expired to correctly target the host-only cookie created during login.

Changes:

  • Remove the Domain attribute when expiring the admin-session cookie in the admin UI logout handler.
  • Add a changelog entry documenting the admin logout bugfix.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
isso/js/admin.js Updates logout cookie expiration to omit Domain, ensuring the host-only admin-session cookie is properly cleared.
CHANGES.rst Documents the user-visible admin logout fix in the changelog.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@jelmer jelmer jelmer approved these changes

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@GeneMarks @jelmer