Docs: Add upgrade note for modification of the cookie path (#25221)

* Add note for modification in the cookie path

* Update docs/sources/installation/upgrading.md

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

* Update docs/sources/installation/configuration.md

Co-authored-by: Arve Knudsen <arve.knudsen@gmail.com>

docs/sources/installation/configuration.md

@@ -457,11 +457,6 @@ Text used as placeholder text on login page for password input.
 Grafana provides many ways to authenticate users. The docs for authentication has been split in to many different pages
 below.
 
-### oauth_state_cookie_max_age
-
-How long the OAuth state cookie lives before being deleted. Default is `60` (seconds)
-Administrators can increase it if they experience OAuth login state mismatch errors.
-
 - [Authentication Overview]({{< relref "../auth/overview.md" >}}) (anonymous access options, hide login and more)
 - [Google OAuth]({{< relref "../auth/google.md" >}}) (auth.google)
 - [GitHub OAuth]({{< relref "../auth/github.md" >}}) (auth.github)
@@ -471,6 +466,15 @@ Administrators can increase it if they experience OAuth login state mismatch err
 - [LDAP Authentication]({{< relref "../auth/ldap.md" >}}) (auth.ldap)
 - [Auth Proxy]({{< relref "../auth/auth-proxy.md" >}}) (auth.proxy)
 
+### login_cookie_name
+
+The cookie name for storing the auth token, the default is `grafana_session`.
+
+### oauth_state_cookie_max_age
+
+How long the OAuth state cookie lives before being deleted. Default is `60` (seconds)
+Administrators can increase this if they experience OAuth login state mismatch errors.
+
 ## [dataproxy]
 
 ### logging

docs/sources/installation/upgrading.md

@@ -252,3 +252,7 @@ A global minimum dashboard refresh interval is now enforced and defaults to 5 se
 ### Backend plugins
 
 Grafana now requires backend plugins to be signed. If a backend plugin is not signed Grafana will not load/start it. This is an additional security measure to make sure backend plugin binaries and files haven't been tampered with.  All Grafana Labs authored backend plugins, including Enterprise plugins, are now signed. It's possible to allow unsigned plugins using a configuration setting, but is something we strongly advise against doing. Read more [here]({{< relref "configuration/#allow-loading-unsigned-plugins" >}}) about this setting.
+
+### Cookie path
+
+Starting from Grafana v7.0.0, the cookie path does not include the trailing slash if Grafana is served from a subpath in order to align with [RFC 6265](https://tools.ietf.org/html/rfc6265#section-5.1.4). However, stale session cookies (set before the upgrade) can result in unsuccessful logins because they can not be deleted during the standard login phase due to the changed cookie path. Therefore users experiencing login problems are advised to manually delete old session cookies, or administrators can fix this for all users by changing the [`login_cookie_name`]({{< relref "configuration/#login-cookie-name" >}}), so the old cookie would get ignored.