From bbb28b5edae3c834fe36f034f434d3e47eda7ceb Mon Sep 17 00:00:00 2001
From: Alexandre Alapetite <alexandre@alapetite.fr>
Date: Fri, 8 May 2026 09:05:32 +0200
Subject: [PATCH] Fix reauth with legacy cookie (#8778)

Fix https://github.com/FreshRSS/FreshRSS/issues/8486
Fix https://github.com/FreshRSS/FreshRSS/issues/8532
Restore some legacy code from https://github.com/FreshRSS/FreshRSS/pull/8447

How to test:
* Start with FreshRSS 1.28.1
* Update to edge
* Access user management

Co-authored-by: Copilot <copilot@github.com>
---
 lib/Minz/Session.php | 25 +++++++++++++++++++++++++
 1 file changed, 25 insertions(+)

diff --git a/lib/Minz/Session.php b/lib/Minz/Session.php
index 6cb26ce71..43678ab2c 100644
--- a/lib/Minz/Session.php
+++ b/lib/Minz/Session.php
@@ -54,6 +54,15 @@ class Minz_Session {
 		session_set_cookie_params($params);
 
 		session_name($name);
+
+		// Delete legacy cookie (before 1.29.0) if it exists
+		if (isset($_COOKIE[$name])) {
+			$legacyDir = self::getLegacyCookieDir();
+			if ($legacyDir !== '' && $legacyDir !== '/') {
+				setcookie($name, '', ['expires' => 1, 'path' => $legacyDir]);
+			}
+		}
+
 		// When using cookies (default value), session_start() sends HTTP headers
 		session_start();
 		session_write_close();
@@ -180,6 +189,22 @@ class Minz_Session {
 		}
 	}
 
+	/**
+	 * Kept only to delete legacy cookies from before 1.29.0
+	 */
+	protected static function getLegacyCookieDir(): string {
+		// Get the script_name (e.g. /p/i/index.php) and keep only the path.
+		$cookie_dir = '';
+		if (!empty($_SERVER['HTTP_X_FORWARDED_PREFIX']) && is_string($_SERVER['HTTP_X_FORWARDED_PREFIX'])) {
+			$cookie_dir .= rtrim($_SERVER['HTTP_X_FORWARDED_PREFIX'], '/ ');
+		}
+		$cookie_dir .= empty($_SERVER['REQUEST_URI']) || !is_string($_SERVER['REQUEST_URI']) ? '/' : $_SERVER['REQUEST_URI'];
+		if (substr($cookie_dir, -1) !== '/') {
+			$cookie_dir = dirname($cookie_dir) . '/';
+		}
+		return $cookie_dir;
+	}
+
 	/**
 	 * Regenerate a session id.
 	 */