Enabled cross-subdomain console sessions by making the cookie domain configurable and aligning the frontend so it reads the shared CSRF cookie. (#27190)

2025-10-28 10:04:24 +08:00
parent 543c5236e7
commit ff32dff163
10 changed files with 94 additions and 13 deletions
--- a/web/config/index.ts
+++ b/web/config/index.ts
@@ -144,7 +144,9 @@ export const getMaxToken = (modelId: string) => {

 export const LOCALE_COOKIE_NAME = 'locale'

+const COOKIE_DOMAIN = (process.env.NEXT_PUBLIC_COOKIE_DOMAIN || '').trim()
 export const CSRF_COOKIE_NAME = () => {
+  if (COOKIE_DOMAIN) return 'csrf_token'
  const isSecure = API_PREFIX.startsWith('https://')
  return isSecure ? '__Host-csrf_token' : 'csrf_token'
 }