Our mobile app recently stopped authenticating properly with our server on our staging and staging2 environments. Fortunately production is fine.
We're using force_ssl in our API's Session and Registration controllers. It was working fine before; not really sure what changed.
What seems to be happening is that our app submits a POST request to either create a new session or user. This request is over SSL, but we get a 301 Moved Permanently with a location identical to the initial request. I believe this redirect is performed via GET and since no routes match a GET to that URL, we then get a 404 Not Found.
I can't figure out why this changed recently and why it's not affecting production.
Turns out it was something having to do with Engine Yard, and an upgrade of our environment solved the problem.
Related
I have a simple feedback form on my Rails 5 app, which is failing CSRF validation on POSTs - but only in production. More specifically, the production server is foo.example.com, but the service is accessed by a proxy server proxy.example.com. There's an Nginx server running on the proxy that routes requests to the appropriate application server.
If I browse directly to http://foo.example.com, and submit the form, everything is fine. But submitting the same form when viewed as https://proxy.example.com, I get the CSRF failure. There are two key differences between the two access routes: the request rewriting by the proxy, and http vs. https. I'm not sure which is the relevant factor.
One theory was that the domain used by the session store was not coming out correctly, but I tried various variants of passing domain: to Rails.application.config.session_store, but none of them made any differences. After that, I've rather run out of hypotheses as to where to look.
I've been struggling with this for a while now and just can’t figure out why this is not working. I use Firefox/Firebug to see the session cookie being created in Development mode but when I run locally in Production the session cookie is not created. This, of course, causes all sorts of grief when the CSRF token is not in the session cookie and an exception is thrown.
The obvious place to look is in production.rb vs development.rb as all the rest of the code is the same however I can't see anything wrong there and I compared both files to a (test) newly created rails app.
Config Info:
session_store => cookie_store (rails default)
protect_from_forgery with: :exception (application_controller)
Any thoughts are appreciated. Thanks, Art
When I recently encountered the same situation, it turned out to be a problem with misconfigured session cookie domain.
Look into the HTTP headers your application sends with the responses. I guess the Set-Cookie header is sent for the session cookie as expected, but the browser refuses to save the cookie, because domain specified in the header doesn't match the actual production domain your application is running on.
To fix this, fix domain setting in the session store configuration.
Nope, neither of these were the problem. It was using Rack::Cached. I didn't have time to track down the why of it, just that removing it from my build stopped the problem without having to do anything else. Wish I'd had time to track this down further to help you all out.
Hi I am running into a strange issue, that is when I am working, all of a sudden the cookies are not set properly in the response from Web API.
I am using Web API 5.2 and it sets a cookie [OWIN] and the client application reads the cookie and then authenticates via the Cookie Authentication Middleware.
It was working fine, but the cookies were not set suddenly. When I restart the PC, it all started to work fine.
I have had this issue when the datetime was changed in the machine, however it happens all of a sudden in normal cases also.
Anybody have already faced this kind of issue, please share your findings.
Note: We are using the WebAPI as our Authorization Server and the Client application is an ASP.Net MVC 5.2 application.
We are using Redis cache as the session state manager.
Since, we were using Redis Session-State, we were not getting the cookies set properly.
However, when I googled, i found that the set-cookie header was being overwritten and hence the cookies set earlier were lost. This was due to a situation where the ResponseCookies collection were serialized into the headers.
However, the solution was suggested to initialize the session to begin before the authentication happens. This was tried and is working fine.
Hope this helps someone who may encounter it in future.
ASP.NET_SessionId + OWIN Cookies do not send to browser
I am stuck at one point. We have to implement a feature which will redirect to login page with a message saying "Your session is expired, please login again!".
For this, I planned to redirect to a URL but redirection is not working! Following is the situation in my environment.
Grails Server:
http://SERVER_ONE/MyApp
Widgets (UI) Server:
http://SERVER_TWO/widgets/myWidget (different from grails server)
Login page:
http://SERVER_TWO/widgets/login
Config.groovy file already contains grails.serverURL = "http://SERVER_TWO/widgets/"
When I access the URL directly from grails server, e.g.
http://SERVER_ONE/MyApp
with invalid session, redirection works fine.
But redirection doesn't work when accessed from Widget page which is running on different server.
Redirect code is as following
redirect(uri: "http://SERVER_TWO/widgets/login?sessionExpired=true")
It would be great help to me, kindly respond, as I am relatively new to Grails development.
Do you have your sessions distributed across the servers? By default sessions are not cross-server.
Basically I am developing an API in rails with RocketPants and Devise and I'm creating a client with AngularJS. since they are in folders maintained by seperate people I run the rails api on localhost:3000 and the client on localhost:8000 and in the live environment they will be on subdomains of the same top level domain. api.example.com app.example.com.
I have allowed for cross domain requests using Rack Cors and this seems to work fine, I can query for things and log in by sending my credentials to the API (I have also checked if this works by returning the logged in user's id).
However the client does not seem to hang on to the session, after I log in and get back confirmation that I logged in successfully and I make another request it says the current_user is Nil.
I have allowed for subdomains in rails I think by using the following in session_store.rb
AppName::Application.config.session_store :cookie_store, key: '_app-name_session', domain: :all
I cannot test this however.
Is there a good way to share sessions between ports locally? Or is there a good way to emulate subdomains for local testing between 2 projects (1 rails, 1 standalone)?
Have you considered using Pow to serve your apps in development?
You could then run them on the subdomains, just like you do in production.