-
Notifications
You must be signed in to change notification settings - Fork 3.1k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Multiple Set-Cookie headers only set 1 cookie #5688
Comments
Commenting here as it appears #5432 has moved to this issue now... |
You can also click "Subscribe" on the right-hand sidebar to get notifications, without needing to comment. :) |
Yep, I'm aware. I provided logs in the last issue, so wanted you to know I'm still following all of this. Let me know if you need anything else. |
@flotwig Since the thread continued here, here's the addition to my post in 5432 as you requested #5432 (comment). Please note that in our case we don't miss cookies, but we seem to be getting extra cookies that are messing things up. The way I test our flow in Cypress:
Please see the screenshot I added with the difference we see with the Also I don't use a Via manual steps in browser To reproduce your requested example, not via BE calls:
I'm using Cypress 3.6.1 |
I'm working on a PR to reproduce & fix this issue here: #5702 |
@flotwig one addition i forgot to mention, maybe it can help, maybe it won't. When putting the jwt url in jwt.io in the right situation (3.4.1) it will give the left result, in the wrong situation (3.6.1) it will give the right result. So typ:"JWT" is missing: |
@pete-om I attempted to reproduce your specific setup by doing the following: I set up an Express server with these handlers: app.get("/", function(req, res) {
res.type('html').end(req.cookies);
}
app.get("/account/login", function(req, res) {
res.cookie('token1', 'foo').type('html').end('hi');
});
app.post("/account/login", function(req, res) {
res.clearCookie('shouldclear')
.cookie('token2', 'bar')
.redirect(302, '/');
}); Then, I wrote this test: it("sends cookies in redirects", function() {
cy.setCookie('shouldclear', 'something');
cy.request('/account/login');
cy.request({
method: 'POST',
url: '/account/login'
}).its('body').should('deep.include', {
token1: 'foo',
token2: 'bar'
});
}); ...and it passes in 3.6.1. Can you help me spot the difference between this and your setup so I can reproduce the problem? |
@emijmker You might be experiencing an issue with URL encoding, is your URL really all alphanumeric like this?
Or are there special characters in there? If so, can you share a URL that contains the special characters? |
@flotwig It looks kinda right Possible things to change:
I dumped the POST cy.request xhr to console via The response header details from the initial request, which shows them to be basically identical, with some minor ordering changes: The request headers of the redirect request, showing differences that are causing the problems: Interestingly, an ssocompany cookie gets passed in the redirect header in 3.4.1 for some reason, perhaps the browser set the cookie with a time in the past and it hasn't run any expiry cleanup code before it sent the followup request? BUT this is not present in 3.6.1! |
@flotwig
The JWT token after the hostname is alfanumeric and can contain [ |
We are also experiencing issues with authentication on 3.5.0+, however, we observe slightly different behaviour than reported here. We perform login with a We're also staying always inside the same domain/subdomain. |
@tozes Does your cookie have a |
@tozes we have the same problem. Only one ser-cookie header is received but it wont set it |
I believe the problem is most likely #5656, if you're setting a custom Domain property that will most likely fail because of this bug. |
Hey everyone, version 3.7.0 of Cypress has been released with some fixes for cookie behavior. Please try it out and see if it fixes your issue. |
@flotwig no change here :( |
Can confirm that this fixes the issue for me. Thank you for all your work on this! |
Can confirm 3.7 solved my issues also! Thanks! :) |
Hey again @flotwig - I've grabbed our product code this morning and started hacking around in it to try to isolate and reproduce the issue better locally, and it seems like while the first cookie does get processed and the second one doesn't, the existence of the multiple cookies was not the real issue for us :\
So it appears this is another cookie domain issue and unfortunately has nothing to do with the number of cookies sent through. I'm guessing it's just if the cookie domain doesn't match the full hostname, it doesn't get processed? Apologies for the bum steer, hopefully this new info helps with finding the root cause! Happy to help further if you need more info or want me to try something else. |
We're still seeing the issue in 3.7.0, and have a setup the same as @pete-om. Changing the cookie domain to exactly match the URL fixes the problem. The (maybe) interesting thing is that we have an auto-retry plugin for some occasional timing fails, and the first retry actually succeeds. I'd also be happy to help further if necessary. Thanks! |
@flotwig I'll see if I can put something together, but in the mean time, it seems to happen when cookies are set using the leading dot ( |
@corwinstephen Sounds good, thank you for the information. To clarify, you're having issues with |
@flotwig yep that's correct, and also confirmed the issue is present in 3.7, 3.6, and 3.5 |
@corwinstephen There are tests that cover setting a cookie with Unfortunately I am pretty much out of guesses as to what it could be, so this issue is blocked until someone can share a reproducible example repo. |
@flotwig the strange thing is that if I hardcode my cookie domain to have a subdomain, like I'd love to put something together, but for my situation it would take a lot of time to do. I'll see if I can chip away over the holidays, if no one does it sooner. Alternatively, I'd be happy to set up a screen share so you can see it occurring on my machine. |
@polga same here, explicitly setting the cookie with a subdomain works |
@flotwig Okay, some more detail on what's happening: In 3.4.1, I make a In my particular instance (Rails), I believe the invalid session on the subdomain is invalidating the entire session, causing both domains to be logged out. |
No updates on this? I see no cookies related fixes in 3.8.2. I am still stuck with 3.4.1 |
@borecz Still want to fix this issue, but I have not been able to reproduce it despite several attempts. I am hoping someone can supply some code that reproduces the issue. |
May I reach you out in private? I could share the code there.
… On 13. Jan 2020, at 15:18, Zach Bloomquist ***@***.***> wrote:
@borecz <https://github.com/borecz> Still want to fix this issue, but I have not been able to reproduce it despite several attempts. I am hoping someone can supply some code that reproduces the issue.
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#5688?email_source=notifications&email_token=ANS5YMVVUCAOW42XLSA5D33Q5RZ3PA5CNFSM4JM6OMT2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIY3VCQ#issuecomment-573684362>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANS5YMQBQM2PQG5T4NZ7WDDQ5RZ3PANCNFSM4JM6OMTQ>.
|
@borecz Sure, my email is on my GitHub profile. |
@borecz were you guys able to connect on this? |
Yes, we did. Zac has access to the working example.
… On 17. Jan 2020, at 18:43, Stephen Elizabeth ***@***.***> wrote:
@borecz <https://github.com/borecz> were you guys able to connect on this?
—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub <#5688?email_source=notifications&email_token=ANS5YMQ6PMLLQUZQH6Z6QCLQ6HU3PA5CNFSM4JM6OMT2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJIOA7A#issuecomment-575725692>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ANS5YMRB3DZ5262TMT2RP5DQ6HU3PANCNFSM4JM6OMTQ>.
|
@borecz awesome. Thanks for biting the bullet on that one |
Any news on this? |
@flotwig is there still activity on this? |
@corwinstephen I have been unable to devote a lot of time to this lately, working on getting other things out the door. But this is my priority as soon as 4.0 is out. |
An update here. I managed to get this working by grabbing the cookies set via |
Any update on progress for this, @flotwig ? Cheers |
@pete-om The repo @borecz shared did not seem to reproduce this issue, so I am still unable to make any progress as I do not have an example of the bug to work with. If nobody can provide a reproduction still, here is a list of locations to look at to try and debug this issue, if anyone wants to try to fix this themselves and open a PR:
|
🤦♂️ I'd been scanning release notes every update but managed to miss #6628 in the list for 4.3.0, and that sounds exactly like my problem as described in this thread above. Have updated to latest and my issues are now resolved too. Thanks @flotwig @corwinstephen |
Nice! Closing this issue since @pete-om was the OP. Anyone who is still experiencing cookie issues in the latest version of Cypress, please search the repo for the issue or open a new issue if one does not exist. |
Originally posted by @pete-om in #5432 (comment)
#5432 is not fixed for me in 3.6.1.
Without a workaround, my authentication script still fails in 3.6.1. Cypress still appears to only process the first cookie in the set-cookie array. Everything works as expected in 3.4.1
The auth flow goes like this:
So what we should be left with after all the above is two cookies: token1 and auth token. What I get as of 3.5.0+ is just token1 (from the original get request) and no auth token.
And we're not going outside our subdomain at any point so the cookies all have the same domain.
Note: if I cy.visit('/account/login'), type the username and password in and submit the form, the redirect sets all the cookies correctly and lets cypress log in, this method has never stopped working. It's only doing it via cy.request that's failing.
Hope this helps, let me know if there's anything else I can do :)
The text was updated successfully, but these errors were encountered: