Login as User not working with wildcard defaultCookieDomain

[rsanchez]

Description

The Login as User feature does not log you in on one of our production sites. It redirects you to the front-end but you appear logged out.

This site is multi-site and has to work on www.domain.com and another subdomain. When we changed the defaultCookieDomain config to be the domain with a leading dot (.domain.com), this allowed front-end logins to work across both subdomains, but the Login as User feature stopped working.

The site is hosted on AWS EC2 with a load balancer and two Craft servers.

Our staging site is also on EC2, but with no load balancer. We do NOT set the defaultCookieDomain setting on staging, and the Login as User feature works on staging.

Additional info

• Craft version: Craft Pro 3.3.18.4
• PHP version: 7.3.12
• Database driver & version: MySQL 5.7.26

[brandonkelly]

We’ve seen this and similar session-related issues crop up when the defaultCookieDomain setting is changed. Can you try to reproduce in an icnognito/private window? If it works there, then this is a browser caching issue.

[rsanchez]

Doesn't work in incognito either. Another note: ELB has Sticky sessions enabled.

[angrybrad]

I'm not able to reproduce this locally. From your staging site, can you try setting the defaultCookieDomain to rule out load balancer/sticky session shenanigans?

[rsanchez]

This is a good idea. I'll have to change the staging domain(s) to test with defaultCookieDomain so I'll work on that and report back here. Thank you!

[rsanchez]

OK we've updated our staging site to have the same subdomain scheme as production and to use defaultCookieDomain setting, and the feature works fine. So it seems that we've isolated the issue to scenarios with both a Load Balancer and defaultCookieDomain setting.

[angrybrad]

Progress... does staging also have sticky sessions enabled? If so and you disable it, does the behavior change?

[rsanchez]

Staging does not have a load balancer and therefore no sticky sessions--it's a single instance. So it seems like my problem has to do with the load balanced scenario. Any ideas?

[angrybrad]

Gah, my bad.

FWIW, we have defaultCookieDomain set on id.craftcms.com to a wildcard. It's in a load-balanced environment without sticky sessions and the "login as a user" functionality works fine, which is why I was wondering if sticky sessions were the culprit.

Is anything useful being logged in Craft's logs when it happens?

[rsanchez]

Not much useful in the logs. I think as far as Craft is concerned, there is no error, it does its job of looking up the user, creating a session and setting a cookie.

I do have logs of the request/responses headers in this flow. Maybe a clue in here?

Admin Login as User Request

method: POST
authority: www.mysite.com
scheme: https
path: /admin/users/87
content-length: 618
cache-control: max-age=0
origin: https://www.mysite.com
upgrade-insecure-requests: 1
content-type: application/x-www-form-urlencoded
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
sec-fetch-dest: document
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-origin
sec-fetch-mode: navigate
sec-fetch-user: ?1
referer: https://www.mysite.com/admin/users/87
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,es-ES;q=0.8,es;q=0.7
cookie: CraftSessionId=e679ef321dacb261478e3f47aa536235
cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=5476bb63631656681337b32ef86049f250d880dd142029513b85c7141c628632a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_identity%22%3Bi%3A1%3Bs%3A254%3A%22%5B%2273%22%2C%22%5B%5C%228TS_fR9zJeN9VME6Nb-S-5tL9XZ4aa6C3ufArQYLZ1soRospUnc_p_nCoYsUu3h-7zZR7S_delQGwOzAfmVEBG0ghTXGoDkuGYVU%5C%22%2Cnull%2C%5C%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_14_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F80.0.3987.132+Safari%2F537.36%5C%22%5D%22%2C1209600%5D%22%3B%7D
cookie: CRAFT_CSRF_TOKEN=f3017ffb902f70edeac139ab4f61a5f4f1f45cbf144f814fea6efbaae63925fda%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A209%3A%22SNWni8S5m4ciQUo8fUpCxbaJdLbbNbHu1sgx0H_P%7C6b6d4b309f44607ace1a9b5999e11cc647f494ae6db98bb9caead4c8d30d4530SNWni8S5m4ciQUo8fUpCxbaJdLbbNbHu1sgx0H_P%7C73%7C%242y%2413%24LVW9FdAgbz6q7qLmbdCxCOUhHEwOOjAH0Shmq0MKg.v6pNALtNlvW%22%3B%7D
cookie: 1031b8c41dfff97a311a7ac99863bdc5_username=e4dadd110094e7beee78fb889597f3994709ae977078b4615a3c05f2d2c88b4aa%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_username%22%3Bi%3A1%3Bs%3A16%3A%22rob%40happycog.com%22%3B%7D
cookie: AWSALB=40NQk05kzL4TLQJ4VRI1AHQs7p9TwQ4udrswTLX6Kuyd+cnH6NmhR123WkgTadm7dEkS9ejvw1OagR2P4/30EeK5au6HkSapp8VH1YWPIcKgt/pwhIILlYtSdtOY
cookie: AWSALBCORS=40NQk05kzL4TLQJ4VRI1AHQs7p9TwQ4udrswTLX6Kuyd+cnH6NmhR123WkgTadm7dEkS9ejvw1OagR2P4/30EeK5au6HkSapp8VH1YWPIcKgt/pwhIILlYtSdtOY

CRAFT_CSRF_TOKEN=5IeXGZXDLnotqrXn3tvQeRJmirsQjzDVUsm_b5HH8T0cyvosiPcdzBMPx_RBXHQciBSLx8a-1Vtao-5BOGQCGvtM_rH5wHCAiFNyfLLvWIbQa-MeMFvQSnmZBYHuFj3H8ShjmQ6kMyrtPr-BjC3FjN7V8H3dtum7xRezDzvn2ivzpBwwp7mZQFpczQVomM1YVpM8K7RKvwipzeQtlBU99xl11gM0QkAHBJrXnOycULpiloktygSOiOQa2tMCD8zt_tq8iJLz_Ze7iTe5vAaGnSC3ycB3_Pt9T0Ce1o6Pjr9BdDP6-GjtUZ82hd0N36W5SC25nVS4v0KcbzmlwiVoFi-4Le3z8ojlbDvAi3BZXWAvwnXH1MjxE-O-Z0UahtZs57Vdh3wJY7IoQPpk5I9yCaTJTFCpapAGGd1t8dbiRP3f67jEHrTnvNT9ceZ_eJ-4SrnAUFLF9_sIL22-YhCohQcG7wsYyG6NcY381wnYQ2rOXxGXZFY4dnYz65vxjvgTwiHZ3EWCQfnHq3CbmzJcpICP6vHD9d2LocvHdvXISOrrdw%3D%3D&userId=87&action=users%2Fimpersonate

Admin Login as User Response

status: 302
date: Tue, 17 Mar 2020 14:21:41 GMT
content-type: text/html; charset=UTF-8
location: https://www.mysite.com/
server: nginx
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: CraftSessionId=ba0601c06c9404dd69ba8c0df996b99e; path=/; domain=.mysite.com; secure; HttpOnly
x-powered-by: Craft Commerce,Craft CMS
x-robots-tag: none
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
set-cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.mysite.com; secure; HttpOnly
set-cookie: CRAFT_CSRF_TOKEN=7be3390d4bbccb71f072a1efded34f7778c4a83599bd0916c212797399846566a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A149%3A%22SNWni8S5m4ciQUo8fUpCxbaJdLbbNbHu1sgx0H_P%7C868d3bf556f0434ec145363a83880979ae6a467ff04d5ef576a1626e2a23fae9SNWni8S5m4ciQUo8fUpCxbaJdLbbNbHu1sgx0H_P%7C87%7C%22%3B%7D; path=/; domain=.mysite.com; secure; HttpOnly
strict-transport-security: max-age=15768000; includeSubDomains; preload
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade

After Login As User Response

status: 200
date: Tue, 17 Mar 2020 14:21:41 GMT
content-type: text/html; charset=UTF-8
set-cookie: AWSALB=zvz6ROWeJ7auzpU+FYHi81qsjic/7LIWxhiDYYP46/4yFWDOi3NjD9QdLEbgzzh3uj91mmlnq6QWeYAm8kq6Mb8ZbO2+YJWodvHXp++FWw2bQfuheJ1vfpuZ6sr6; Expires=Tue, 24 Mar 2020 14:21:41 GMT; Path=/
set-cookie: AWSALBCORS=zvz6ROWeJ7auzpU+FYHi81qsjic/7LIWxhiDYYP46/4yFWDOi3NjD9QdLEbgzzh3uj91mmlnq6QWeYAm8kq6Mb8ZbO2+YJWodvHXp++FWw2bQfuheJ1vfpuZ6sr6; Expires=Tue, 24 Mar 2020 14:21:41 GMT; Path=/; SameSite=None; Secure
server: nginx
vary: Accept-Encoding
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: Craft Commerce,Craft CMS
link: <https://www.googletagmanager.com>; rel=dns-prefetch;,<https://www.googletagmanager.com>; rel=preconnect; crossorigin;
link: <https://www.mysite.com/>; rel='canonical'
x-robots-tag: all
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=15768000; includeSubDomains; preload
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
content-encoding: gzip

<REDACTED FRONTEND HTML HERE>

[angrybrad]

Looks like the AWSALB and AWSALBCORS (assuming those are used for sticky sessions) cookie values change... maybe something is deleting that cookie, causing a new one to be sent, which bounces you to a new server where you lose the PHP session?

[simeon-smith]

I had this same issue and I found that you need to clear all site data in your browser. Just clearing the sessions, cookies, and local storage still allows this to be an issue.

Also, you'll want to do this on all related domains.

My particular issue could be related to setting the defaultCookieDomain to "domain.com" without the leading period. I have a naked domain and it was causing issues if I set the period.