Open rsanchez opened 4 years ago
We’ve seen this and similar session-related issues crop up when the defaultCookieDomain
setting is changed. Can you try to reproduce in an icnognito/private window? If it works there, then this is a browser caching issue.
Doesn't work in incognito either. Another note: ELB has Sticky sessions enabled.
I'm not able to reproduce this locally. From your staging site, can you try setting the defaultCookieDomain
to rule out load balancer/sticky session shenanigans?
This is a good idea. I'll have to change the staging domain(s) to test with defaultCookieDomain
so I'll work on that and report back here. Thank you!
OK we've updated our staging site to have the same subdomain scheme as production and to use defaultCookieDomain
setting, and the feature works fine. So it seems that we've isolated the issue to scenarios with both a Load Balancer and defaultCookieDomain
setting.
Progress... does staging also have sticky sessions enabled? If so and you disable it, does the behavior change?
Staging does not have a load balancer and therefore no sticky sessions--it's a single instance. So it seems like my problem has to do with the load balanced scenario. Any ideas?
Gah, my bad.
FWIW, we have defaultCookieDomain
set on id.craftcms.com to a wildcard. It's in a load-balanced environment without sticky sessions and the "login as a user" functionality works fine, which is why I was wondering if sticky sessions were the culprit.
Is anything useful being logged in Craft's logs when it happens?
Not much useful in the logs. I think as far as Craft is concerned, there is no error, it does its job of looking up the user, creating a session and setting a cookie.
I do have logs of the request/responses headers in this flow. Maybe a clue in here?
method: POST
authority: www.mysite.com
scheme: https
path: /admin/users/87
content-length: 618
cache-control: max-age=0
origin: https://www.mysite.com
upgrade-insecure-requests: 1
content-type: application/x-www-form-urlencoded
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
sec-fetch-dest: document
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-origin
sec-fetch-mode: navigate
sec-fetch-user: ?1
referer: https://www.mysite.com/admin/users/87
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,es-ES;q=0.8,es;q=0.7
cookie: CraftSessionId=e679ef321dacb261478e3f47aa536235
cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=5476bb63631656681337b32ef86049f250d880dd142029513b85c7141c628632a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_identity%22%3Bi%3A1%3Bs%3A254%3A%22%5B%2273%22%2C%22%5B%5C%228TS_fR9zJeN9VME6Nb-S-5tL9XZ4aa6C3ufArQYLZ1soRospUnc_p_nCoYsUu3h-7zZR7S_delQGwOzAfmVEBG0ghTXGoDkuGYVU%5C%22%2Cnull%2C%5C%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_14_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F80.0.3987.132+Safari%2F537.36%5C%22%5D%22%2C1209600%5D%22%3B%7D
cookie: CRAFT_CSRF_TOKEN=f3017ffb902f70edeac139ab4f61a5f4f1f45cbf144f814fea6efbaae63925fda%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A209%3A%22SNWni8S5m4ciQUo8fUpCxbaJdLbbNbHu1sgx0H_P%7C6b6d4b309f44607ace1a9b5999e11cc647f494ae6db98bb9caead4c8d30d4530SNWni8S5m4ciQUo8fUpCxbaJdLbbNbHu1sgx0H_P%7C73%7C%242y%2413%24LVW9FdAgbz6q7qLmbdCxCOUhHEwOOjAH0Shmq0MKg.v6pNALtNlvW%22%3B%7D
cookie: 1031b8c41dfff97a311a7ac99863bdc5_username=e4dadd110094e7beee78fb889597f3994709ae977078b4615a3c05f2d2c88b4aa%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_username%22%3Bi%3A1%3Bs%3A16%3A%22rob%40happycog.com%22%3B%7D
cookie: AWSALB=40NQk05kzL4TLQJ4VRI1AHQs7p9TwQ4udrswTLX6Kuyd+cnH6NmhR123WkgTadm7dEkS9ejvw1OagR2P4/30EeK5au6HkSapp8VH1YWPIcKgt/pwhIILlYtSdtOY
cookie: AWSALBCORS=40NQk05kzL4TLQJ4VRI1AHQs7p9TwQ4udrswTLX6Kuyd+cnH6NmhR123WkgTadm7dEkS9ejvw1OagR2P4/30EeK5au6HkSapp8VH1YWPIcKgt/pwhIILlYtSdtOY
CRAFT_CSRF_TOKEN=5IeXGZXDLnotqrXn3tvQeRJmirsQjzDVUsm_b5HH8T0cyvosiPcdzBMPx_RBXHQciBSLx8a-1Vtao-5BOGQCGvtM_rH5wHCAiFNyfLLvWIbQa-MeMFvQSnmZBYHuFj3H8ShjmQ6kMyrtPr-BjC3FjN7V8H3dtum7xRezDzvn2ivzpBwwp7mZQFpczQVomM1YVpM8K7RKvwipzeQtlBU99xl11gM0QkAHBJrXnOycULpiloktygSOiOQa2tMCD8zt_tq8iJLz_Ze7iTe5vAaGnSC3ycB3_Pt9T0Ce1o6Pjr9BdDP6-GjtUZ82hd0N36W5SC25nVS4v0KcbzmlwiVoFi-4Le3z8ojlbDvAi3BZXWAvwnXH1MjxE-O-Z0UahtZs57Vdh3wJY7IoQPpk5I9yCaTJTFCpapAGGd1t8dbiRP3f67jEHrTnvNT9ceZ_eJ-4SrnAUFLF9_sIL22-YhCohQcG7wsYyG6NcY381wnYQ2rOXxGXZFY4dnYz65vxjvgTwiHZ3EWCQfnHq3CbmzJcpICP6vHD9d2LocvHdvXISOrrdw%3D%3D&userId=87&action=users%2Fimpersonate
status: 302
date: Tue, 17 Mar 2020 14:21:41 GMT
content-type: text/html; charset=UTF-8
location: https://www.mysite.com/
server: nginx
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: CraftSessionId=ba0601c06c9404dd69ba8c0df996b99e; path=/; domain=.mysite.com; secure; HttpOnly
x-powered-by: Craft Commerce,Craft CMS
x-robots-tag: none
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
set-cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.mysite.com; secure; HttpOnly
set-cookie: CRAFT_CSRF_TOKEN=7be3390d4bbccb71f072a1efded34f7778c4a83599bd0916c212797399846566a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A149%3A%22SNWni8S5m4ciQUo8fUpCxbaJdLbbNbHu1sgx0H_P%7C868d3bf556f0434ec145363a83880979ae6a467ff04d5ef576a1626e2a23fae9SNWni8S5m4ciQUo8fUpCxbaJdLbbNbHu1sgx0H_P%7C87%7C%22%3B%7D; path=/; domain=.mysite.com; secure; HttpOnly
strict-transport-security: max-age=15768000; includeSubDomains; preload
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
status: 200
date: Tue, 17 Mar 2020 14:21:41 GMT
content-type: text/html; charset=UTF-8
set-cookie: AWSALB=zvz6ROWeJ7auzpU+FYHi81qsjic/7LIWxhiDYYP46/4yFWDOi3NjD9QdLEbgzzh3uj91mmlnq6QWeYAm8kq6Mb8ZbO2+YJWodvHXp++FWw2bQfuheJ1vfpuZ6sr6; Expires=Tue, 24 Mar 2020 14:21:41 GMT; Path=/
set-cookie: AWSALBCORS=zvz6ROWeJ7auzpU+FYHi81qsjic/7LIWxhiDYYP46/4yFWDOi3NjD9QdLEbgzzh3uj91mmlnq6QWeYAm8kq6Mb8ZbO2+YJWodvHXp++FWw2bQfuheJ1vfpuZ6sr6; Expires=Tue, 24 Mar 2020 14:21:41 GMT; Path=/; SameSite=None; Secure
server: nginx
vary: Accept-Encoding
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: Craft Commerce,Craft CMS
link: <https://www.googletagmanager.com>; rel=dns-prefetch;,<https://www.googletagmanager.com>; rel=preconnect; crossorigin;
link: <https://www.mysite.com/>; rel='canonical'
x-robots-tag: all
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=15768000; includeSubDomains; preload
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
content-encoding: gzip
<REDACTED FRONTEND HTML HERE>
Looks like the AWSALB
and AWSALBCORS
(assuming those are used for sticky sessions) cookie values change... maybe something is deleting that cookie, causing a new one to be sent, which bounces you to a new server where you lose the PHP session?
I had this same issue and I found that you need to clear all site data in your browser. Just clearing the sessions, cookies, and local storage still allows this to be an issue.
Also, you'll want to do this on all related domains.
My particular issue could be related to setting the defaultCookieDomain to "domain.com" without the leading period. I have a naked domain and it was causing issues if I set the period.
Description
The Login as User feature does not log you in on one of our production sites. It redirects you to the front-end but you appear logged out.
This site is multi-site and has to work on www.domain.com and another subdomain. When we changed the
defaultCookieDomain
config to be the domain with a leading dot (.domain.com
), this allowed front-end logins to work across both subdomains, but the Login as User feature stopped working.The site is hosted on AWS EC2 with a load balancer and two Craft servers.
Our staging site is also on EC2, but with no load balancer. We do NOT set the
defaultCookieDomain
setting on staging, and the Login as User feature works on staging.Additional info