From be9a3794e935cf6c7ce2091427d0b412f55a0964 Mon Sep 17 00:00:00 2001
From: Fijxu <fijxu@nadeko.net>
Date: Mon, 31 Mar 2025 00:25:32 -0300
Subject: [PATCH] cookies: remove port number from domain if it exists

---
 src/invidious/user/cookies.cr | 10 ++++++++++
 1 file changed, 10 insertions(+)

diff --git a/src/invidious/user/cookies.cr b/src/invidious/user/cookies.cr
index 515718c8..eee92085 100644
--- a/src/invidious/user/cookies.cr
+++ b/src/invidious/user/cookies.cr
@@ -11,6 +11,10 @@ struct Invidious::User
     # Session ID (SID) cookie
     # Parameter "domain" comes from the global config
     def sid(domain : String?, sid) : HTTP::Cookie
+      # Strip the port from the domain if it's being accessed from another port
+      # Browsers will reject the cookie if it contains the port number. This is
+      # because `example.com:3000` is not the same as `example.com` on a cookie.
+      domain = domain.split(":")[0]
       # Not secure if it's being accessed from I2P
       # Browsers expect the domain to include https. On I2P there is no HTTPS
       if domain.not_nil!.split(".").last == "i2p"
@@ -30,6 +34,10 @@ struct Invidious::User
     # Preferences (PREFS) cookie
     # Parameter "domain" comes from the global config
     def prefs(domain : String?, preferences : Preferences) : HTTP::Cookie
+      # Strip the port from the domain if it's being accessed from another port
+      # Browsers will reject the cookie if it contains the port number. This is
+      # because `example.com:3000` is not the same as `example.com` on a cookie.
+      domain = domain.split(":")[0]
       # Not secure if it's being accessed from I2P
       # Browsers expect the domain to include https. On I2P there is no HTTPS
       if domain.not_nil!.split(".").last == "i2p"
@@ -53,6 +61,8 @@ struct Invidious::User
         server_id = rand(CONFIG.invidious_companion.size)
       end
       # Strip the port from the domain if it's being accessed from another port
+      # Browsers will reject the cookie if it contains the port number. This is
+      # because `example.com:3000` is not the same as `example.com` on a cookie.
       domain = domain.split(":")[0]
       # Not secure if it's being accessed from I2P
       # Browsers expect the domain to include https. On I2P there is no HTTPS