diff --git a/app/models/active_session.rb b/app/models/active_session.rb
index 7d025fb77389f3c42ac48e914669634c1c723fb8..e42f9eeef238dfe4a401f71becb261b75d622db2 100644
--- a/app/models/active_session.rb
+++ b/app/models/active_session.rb
@@ -102,17 +102,16 @@ def self.set(user, request)
# set marketing cookie when user has active session
def self.set_active_user_cookie(auth)
- auth.cookies[:about_gitlab_active_user] =
+ expiration_time = 2.weeks.from_now
+
+ auth.cookies[:gitlab_user] =
{
value: true,
- domain: Gitlab.config.gitlab.host
+ domain: Gitlab.config.gitlab.host,
+ expires: expiration_time
}
end
- def self.unset_active_user_cookie(auth)
- auth.cookies.delete :about_gitlab_active_user
- end
-
def self.list(user)
Gitlab::Redis::Sessions.with do |redis|
cleaned_up_lookup_entries(redis, user).map do |raw_session|
diff --git a/config/initializers/warden.rb b/config/initializers/warden.rb
index 14bcaa80064789b67fe182eaf6cabd684853afdf..fd3e7fb6d18798f3137954a3c9ec4b7d15c39ee5 100644
--- a/config/initializers/warden.rb
+++ b/config/initializers/warden.rb
@@ -38,8 +38,6 @@
Warden::Manager.before_logout(scope: :user) do |user, auth, opts|
user ||= auth.user
- # deletes marketing cookie when user session ends
- ActiveSession.unset_active_user_cookie(auth) if ::Gitlab.com?
# Rails CSRF protection may attempt to log out a user before that
# user even logs in
next unless user
diff --git a/doc/user/profile/index.md b/doc/user/profile/index.md
index 828f37cbf438fef22da7ac369c996bbf6f3f2365..cff18654292aff587aa543ff1e73bed4f1bc0a32 100644
--- a/doc/user/profile/index.md
+++ b/doc/user/profile/index.md
@@ -397,15 +397,15 @@ When you sign in, three cookies are set:
- A session cookie called `_gitlab_session`.
This cookie has no set expiration date. However, it expires based on its `session_expire_delay`.
-- A session cookie called `about_gitlab_active_user`.
- This cookie is used by the [marketing site](https://about.gitlab.com/) to determine if a user has an active GitLab session. No user information is passed to the cookie and it expires with the session.
+- A session cookie called `gitlab_user`.
+ This cookie is used by the [marketing site](https://about.gitlab.com/) to determine if a user has an active GitLab session. No user information is passed to the cookie and it expires two weeks from login.
- A persistent cookie called `remember_user_token`, which is set only if you selected **Remember me** on the sign-in page.
-When you close your browser, the `_gitlab_session` and `about_gitlab_active_user` cookies are usually cleared client-side.
+When you close your browser, the `_gitlab_session` and `gitlab_user` cookies are usually cleared client-side.
When it expires or isn't available, GitLab:
- Uses the `remember_user_token`cookie to get you a new `_gitlab_session` cookie and keep you signed in, even if you close your browser.
-- Sets the `about_gitlab_active_user` to `true`.
+- Sets the `gitlab_user` to `true`.
When both the `remember_user_token` and `_gitlab_session` cookies are gone or expired, you must sign in again.
diff --git a/spec/models/active_session_spec.rb b/spec/models/active_session_spec.rb
index 54169c254a6f1cfedc19e976aa8e5a9977bf0aa7..af884fdb83cc2a40b2af63530262a1cca0dad529 100644
--- a/spec/models/active_session_spec.rb
+++ b/spec/models/active_session_spec.rb
@@ -650,25 +650,13 @@ def dump_session(session)
end
end
- describe '.set_active_user_cookie' do
+ describe '.set_active_user_cookie', :freeze_time do
let(:auth) { double(cookies: {}) }
it 'sets marketing cookie' do
described_class.set_active_user_cookie(auth)
- expect(auth.cookies[:about_gitlab_active_user][:value]).to be_truthy
- end
- end
-
- describe '.unset_active_user_cookie' do
- let(:auth) { double(cookies: {}) }
-
- before do
- described_class.set_active_user_cookie(auth)
- end
-
- it 'unsets marketing cookie' do
- described_class.unset_active_user_cookie(auth)
- expect(auth.cookies[:about_gitlab_active_user]).to be_nil
+ expect(auth.cookies[:gitlab_user][:value]).to be_truthy
+ expect(auth.cookies[:gitlab_user][:expires]).to be_within(1.minute).of(2.weeks.from_now)
end
end
end
diff --git a/spec/requests/sessions_spec.rb b/spec/requests/sessions_spec.rb
index 9454d75d990ab74e58ef644c17020706fcd470c0..3428e607305f8c3614ac3fdf02f33e96730835d2 100644
--- a/spec/requests/sessions_spec.rb
+++ b/spec/requests/sessions_spec.rb
@@ -5,7 +5,7 @@
RSpec.describe 'Sessions', feature_category: :system_access do
include SessionHelpers
- let_it_be(:user) { create(:user) }
+ let(:user) { create(:user) }
context 'for authentication', :allow_forgery_protection do
it 'logout does not require a csrf token' do
@@ -17,20 +17,20 @@
end
end
- describe 'about_gitlab_active_user', :saas do
+ describe 'gitlab_user cookie', :saas do
+ let_it_be(:user) { create(:user) }
+
context 'when user signs in' do
it 'sets marketing cookie' do
post user_session_path(user: { login: user.username, password: user.password })
-
- expect(response.cookies['about_gitlab_active_user']).to be_present
+ expect(response.cookies['gitlab_user']).to be_present
end
end
context 'when user uses remember_me' do
it 'sets marketing cookie' do
post user_session_path(user: { login: user.username, password: user.password, remember_me: true })
-
- expect(response.cookies['about_gitlab_active_user']).to be_present
+ expect(response.cookies['gitlab_user']).to be_present
end
end
@@ -74,18 +74,6 @@ def authenticate_2fa(otp_attempt:)
end
end
- context 'when user signs out' do
- before do
- post user_session_path(user: { login: user.username, password: user.password })
- end
-
- it 'deletes marketing cookie' do
- post(destroy_user_session_path)
-
- expect(response.cookies['about_gitlab_active_user']).to be_nil
- end
- end
-
context 'when user is not using GitLab SaaS' do
before do
allow(::Gitlab).to receive(:com?).and_return(false)
@@ -93,8 +81,7 @@ def authenticate_2fa(otp_attempt:)
it 'does not set marketing cookie' do
post user_session_path(user: { login: user.username, password: user.password })
-
- expect(response.cookies['about_gitlab_active_user']).to be_nil
+ expect(response.cookies['gitlab_user']).to be_nil
end
end
end