Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[BUG] Incorrect cookie scope #467

Closed
metalblue opened this issue Jan 26, 2025 · 5 comments · Fixed by #460
Closed

[BUG] Incorrect cookie scope #467

metalblue opened this issue Jan 26, 2025 · 5 comments · Fixed by #460
Assignees
@seanmorley15
Labels
bug Something isn't working

Comments

@metalblue
Copy link

Describe the bug
When using an internal domain of the form MyApp.MySubdomain.MyDomain.co.uk the cookie scope gets set to co.uk, which the browser (Chrome) refuses to accept. This appears to prevent users from logging in.

I believe the offending code is in the following files:

  • frontend/src/routes/login/+page.server.ts and function handleSuccessfulLogin.
  • frontend/src/routes/+page.server.ts

To Reproduce

  1. Deploy the app to a domain of the form MyApp.MySubdomain.MyDomain.co.uk
  2. Try and login and watch it fail.

Expected behavior
I would expect the cookie scope to be set to MyDomain.co.uk, or MySubdomain.MyDomain.co.uk or even MyApp.MyDomain.co.uk. I suspect this will require a new environment variable given the difficulty of automatically detecting this.

Screenshots
Console output from docker logs -f adventurelog-frontend

Setting sessionid cookie with domain: .co.uk
The origin to be set is: https://adventurelog.MySubdomian.MyDomain.co.uk
Listening on 0.0.0.0:3000

Image
@metalblue metalblue added the bug Something isn't working label Jan 26, 2025
@seanmorley15
Copy link
Owner

This is a known issue - I will be taking care of this ASAP in the next 2 days. I will keep you updated. Thanks for the understanding 🙏

@seanmorley15 seanmorley15 self-assigned this Jan 26, 2025
@metalblue
Copy link
Author

No worries. Thanks for the quick response (wasn't expecting that), and thanks for an awesome project.

Let me know when its ready for testing and I'll be happy to try and help out.

@seanmorley15
Copy link
Owner

seanmorley15 commented Jan 27, 2025
edited
Loading

@metalblue, go ahead and pull the beta image version for both the frontend and backend to try out the fix. Let me know how it goes - if its good I'll go ahead and merge :)

@rmblau
Copy link

rmblau commented Jan 27, 2025

@seanmorley15 I just pulled the beta tag down and it fixed my login loop.

@seanmorley15 seanmorley15 mentioned this issue Jan 27, 2025
Merged
4 tasks
@metalblue
Copy link
Author

@seanmorley15 I've just pulled the beta image too and it works.

However, having reviewed whats happening (and I appreciate it goes against my earlier comment), I'm not sure if this should be marked as complete.

The scope is now being set to MyDomain.co.uk, which in my case is fine as I own that domain. However if someone is using some form of dynamic DNS provider then the scope will still be set too high as they might only own 'MySubdomain.DynamicDns.co.uk'.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@seanmorley15 seanmorley15

Labels
bug Something isn't working
Projects
AdventureLog Roadmap
Status: Done
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Attachments, GPX Maps, Global Search, Security seanmorley15/AdventureLog
3 participants
@rmblau @metalblue @seanmorley15