Skip to content

Rc release 4.2.1 #2329

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
DavidBlaa merged 31 commits into from
Jan 12, 2026
Merged

Rc release 4.2.1 #2329

DavidBlaa merged 31 commits into from
Jan 12, 2026

Conversation

@DavidBlaa
Copy link
Member

@DavidBlaa DavidBlaa commented Jan 12, 2026

No description provided.

DavidBlaa and others added 30 commits December 11, 2025 11:56
@DavidBlaa
#2305 fix xpath regex check
5acb2d3
@DavidBlaa
#2306 fix update script
f6ea53f
@DavidBlaa
#2309 fix spelling mistake
0413bab
@sventhiel
#2201 change System.Web.MVC from 5.2.8 to 5.2.3.
36845c8
@sventhiel
Merge branch 'rc' of https://github.com/bexis2/core into rc
e448bbd
@DavidBlaa
#2310 add placeholder during search load
566cfe5
@DavidBlaa
Merge branch 'rc' of https://github.com/BEXIS2/Core into rc
b48ed6f
@DavidBlaa
#2312 improve loading time by units
a44a640
@DavidBlaa
#2313 set pagelength to 100
52db6f0
@DavidBlaa
#2310 update workspace
b95f338
@DavidBlaa
#2304 add label for date andchange color for entity template label
5522254
@DavidBlaa
#2310 add settings to public search
9c5c7cc
@DavidBlaa
#2315 change antiForgeryToken storage and call to improve page loading
1a15d18
@DavidBlaa
#2315 remove not needed class
4720c48
@DavidBlaa
#2312 improve loading time , by get all id combies from the first load
2d16096
@DavidBlaa
#2317 change the rights for the tabs
5fea3bf
@DavidBlaa
#2310 fix issue in public search, settings has effect now
009aab6
@DavidBlaa
#2318 fix unit tests
e74e2ae
@DavidBlaa
#2318 update version numbers and read me and citation
63c3bae
@DavidBlaa
#2307 hide permissions tab if dataset is not checked in
0710752
@DavidBlaa
#2293 fix mistake by adding variables to index
7c4b165
@EleonoraPetzold
Modify iscomplex field in dim_mappingkeys inserts
9069943 
Updated SQL insert statements to set 'iscomplex' to true for specific citation types in the dim_mappingkeys table.
@DavidBlaa
#2319 fix download issues
a99e02c
@geofranzi
Refactor MeaningController with improved error handling messages #2325
867bc06
@DavidBlaa
#2320 fix issue by remove form validation from action
d42a04f
@DavidBlaa
#2318 fix issue in metadata from add elements and unit test for xml m…
560a5b9 
…etadata converter
@DavidBlaa
Merge branch 'rc' of https://github.com/BEXIS2/Core into rc
ea96cd3
@DavidBlaa
#2313 fix pagesize fromt -> to
5d229b5
@geofranzi
Update Release notes #2318
105d8d7
@DavidBlaa
#2318 add wokspace and web config changes
42fe64d
github-advanced-security[bot]
github-advanced-security bot found potential problems Jan 12, 2026
View reviewed changes
Console/BExIS.Web.Shell/Controllers/AccountController.cs
cookie.Domain = Request.Url.Host; // Set the domain
cookie.Path = "/"; // Set the path
cookieJwt.Expires = DateTime.Now.AddDays(1); // Expires in 1 day

Check failure

Code scanning / CodeQL

Cookie security: persistent cookie

Avoid persistent cookies.

Copilot Autofix

AI about 7 hours ago

In general, to avoid persistent cookies for sensitive data, you either (1) make them session cookies by not setting an Expires (or Max-Age), so the browser keeps them only in memory and deletes them when the browser closes, or (2) stop storing the sensitive data in a cookie at all and rely on server‑side session state. Here we can preserve existing behavior while improving security by turning the "jwt" cookie into a session cookie.

The minimal, non‑breaking fix in this snippet is to remove the explicit expiration, which is the only thing making the cookie persistent. In ASP.NET, if you do not set Expires, HttpCookie defaults to a session cookie. So in Console/BExIS.Web.Shell/Controllers/AccountController.cs, within the login action where the JWT cookie is created (around lines 303‑316), we should delete the line cookieJwt.Expires = DateTime.Now.AddDays(1);. No other functional change is required: the cookie will still be created with the same name, value, domain, and path, but will now only live as long as the browser session.

No new imports, helper methods, or additional definitions are needed; this is strictly a one‑line removal in the existing method.

Suggested changeset 1
Console/BExIS.Web.Shell/Controllers/AccountController.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/Console/BExIS.Web.Shell/Controllers/AccountController.cs b/Console/BExIS.Web.Shell/Controllers/AccountController.cs
--- a/Console/BExIS.Web.Shell/Controllers/AccountController.cs
+++ b/Console/BExIS.Web.Shell/Controllers/AccountController.cs
@@ -308,7 +308,6 @@
                         HttpCookie cookieJwt = new HttpCookie("jwt", jwt);
 
                         // Set additional properties if needed
-                        cookieJwt.Expires = DateTime.Now.AddDays(1); // Expires in 1 day
                         cookieJwt.Domain = Request.Url.Host; // Set the domain
                         cookieJwt.Path = "/"; // Set the path
 
EOF
@@ -308,7 +308,6 @@
HttpCookie cookieJwt = new HttpCookie("jwt", jwt);

// Set additional properties if needed
cookieJwt.Expires = DateTime.Now.AddDays(1); // Expires in 1 day
cookieJwt.Domain = Request.Url.Host; // Set the domain
cookieJwt.Path = "/"; // Set the path

Copilot is powered by AI and may make mistakes. Always verify output.
Console/BExIS.Web.Shell/Controllers/AccountController.cs
cookieJwt.Expires = DateTime.Now.AddDays(1); // Expires in 1 day
cookieJwt.Domain = Request.Url.Host; // Set the domain
cookieJwt.Path = "/"; // Set the path

Check failure

Code scanning / CodeQL

Cookie security: overly broad path

Overly broad path for cookie.

Copilot Autofix

AI about 7 hours ago

In general, to fix an overly broad cookie path, set the cookie’s Path to the actual context path (or a narrower application sub-path) instead of /. This limits which HTTP requests will include the cookie and prevents other applications on the same domain from accessing it.

In this specific code, we should replace cookieJwt.Path = "/"; with a path that corresponds to the current application’s virtual directory (context path). In ASP.NET, Request.ApplicationPath returns the application’s root path (for example, /BExIS or / if deployed at domain root). Using Request.ApplicationPath (or the corresponding MVC helper in this controller) preserves existing functionality for this app but avoids exposing the cookie to sibling apps hosted under the same domain. No new methods or external libraries are required; we only need to change the assignment of the Path property on the HttpCookie.

Concretely: in Console/BExIS.Web.Shell/Controllers/AccountController.cs, in the region where cookieJwt is configured (lines around 305–315), change cookieJwt.Path = "/"; to cookieJwt.Path = Request.ApplicationPath;. This will ensure the cookie is only sent for requests under the same application root, while still working correctly for all routes within this app.

Suggested changeset 1
Console/BExIS.Web.Shell/Controllers/AccountController.cs

Autofix patch

Autofix patch
Run the following command in your local git repository to apply this patch
cat << 'EOF' | git apply
diff --git a/Console/BExIS.Web.Shell/Controllers/AccountController.cs b/Console/BExIS.Web.Shell/Controllers/AccountController.cs
--- a/Console/BExIS.Web.Shell/Controllers/AccountController.cs
+++ b/Console/BExIS.Web.Shell/Controllers/AccountController.cs
@@ -310,7 +310,7 @@
                         // Set additional properties if needed
                         cookieJwt.Expires = DateTime.Now.AddDays(1); // Expires in 1 day
                         cookieJwt.Domain = Request.Url.Host; // Set the domain
-                        cookieJwt.Path = "/"; // Set the path
+                        cookieJwt.Path = Request.ApplicationPath; // Restrict the cookie to this application's path
 
                         // Add the cookie to the response
                         Response.Cookies.Add(cookieJwt);
EOF
@@ -310,7 +310,7 @@
// Set additional properties if needed
cookieJwt.Expires = DateTime.Now.AddDays(1); // Expires in 1 day
cookieJwt.Domain = Request.Url.Host; // Set the domain
cookieJwt.Path = "/"; // Set the path
cookieJwt.Path = Request.ApplicationPath; // Restrict the cookie to this application's path

// Add the cookie to the response
Response.Cookies.Add(cookieJwt);
Copilot is powered by AI and may make mistakes. Always verify output.
Console/BExIS.Web.Shell/Controllers/AccountController.cs
// Create a new cookie
HttpCookie cookie = new HttpCookie("jwt", jwt);
HttpCookie cookieJwt = new HttpCookie("jwt", jwt);

Check warning

Code scanning / CodeQL

Cookie 'Secure' attribute is not set to true

Cookie attribute 'Secure' is not set to true.
@DavidBlaa DavidBlaa merged commit 0a1fe2f into master Jan 12, 2026
8 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

5 participants

@DavidBlaa @sventhiel @EleonoraPetzold @geofranzi