search

ory / kratos

Next-gen identity server replacing your Auth0, Okta, Firebase with hardened security and PassKeys, SMS, OIDC, Social Sign In, MFA, FIDO, TOTP and OTP, WebAuthn, passwordless and much more. Golang, headless, API-first. Available as a worry-free SaaS with the fairest pricing on the market!
https://www.ory.sh/kratos/?utm_source=github&utm_medium=banner&utm_campaign=kratos
Apache License 2.0
11.05k stars 950 forks source link

No resumable session found reason:The browser does not contain the necessary cookie to resume the session. This is a security violation and was blocked. Please clear your browser's cookies and cache and try again! #3653

Open meotimdihia opened 9 months ago

meotimdihia commented 9 months ago

Preflight checklist

Ory Network Project

No response

Describe the bug

Today, I switched my website domain and a lot of users can't log in by using a Google/Facebook account (oidc). Clear cookies might work but not everyone knows do it. Even someone said they cleared cookies but still can't log in to my website.

I get these logs:

selfservice_errors table: image

{
  "code": 400,
  "debug": "key ory_kratos_oidc_auth_code_session does not exist in cookie: ory_kratos_continuity\ngithub.com/ory/kratos/x.SessionGetString.func1\n\t/project/x/cookie.go:30\ngithub.com/ory/kratos/x.SessionGetString.func2\n\t/project/x/cookie.go:40\ngithub.com/gorilla/sessions.(*CookieStore).NewExact\n\t/go/pkg/mod/github.com/ory/sessions@v1.2.2-0.20220110165800-b09c17334dc2/store.go:158\ngithub.com/gorilla/sessions.(*Registry).GetExact\n\t/go/pkg/mod/github.com/ory/sessions@v1.2.2-0.20220110165800-b09c17334dc2/sessions.go:162\ngithub.com/gorilla/sessions.(*CookieStore).GetExact\n\t/go/pkg/mod/github.com/ory/sessions@v1.2.2-0.20220110165800-b09c17334dc2/store.go:112\ngithub.com/ory/kratos/x.SessionGetString\n\t/project/x/cookie.go:39\ngithub.com/ory/kratos/continuity.(*ManagerCookie).sid\n\t/project/continuity/manager_cookie.go:100\ngithub.com/ory/kratos/continuity.(*ManagerCookie).container\n\t/project/continuity/manager_cookie.go:112\ngithub.com/ory/kratos/continuity.(*ManagerCookie).Continue\n\t/project/continuity/manager_cookie.go:67\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).validateCallback\n\t/project/selfservice/strategy/oidc/strategy.go:305\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).handleCallback\n\t/project/selfservice/strategy/oidc/strategy.go:377\ngithub.com/ory/kratos/selfservice/strategy.disabledWriter\n\t/project/selfservice/strategy/handler.go:28\ngithub.com/ory/kratos/selfservice/strategy.IsDisabled.func1\n\t/project/selfservice/strategy/handler.go:33\ngithub.com/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:21\ngithub.com/ory/kratos/x.NoCacheHandle.func1\n\t/project/x/nocache.go:21\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387\ngithub.com/ory/nosurf.(*CSRFHandler).handleSuccess\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:234\ngithub.com/ory/nosurf.(*CSRFHandler).ServeHTTP\n\t/go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:191\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\ngithub.com/ory/kratos/x.glob..func1\n\t/project/x/clean_url.go:15\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2122\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:284\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2122\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:142\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2122\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:92\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2122\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2\n\t/go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:104",
  "reason": "The browser does not contain the necessary cookie to resume the session. This is a security violation and was blocked. Please clear your browser's cookies and cache and try again!",
  "status": "Bad Request",
  "message": "no resumable session found"
}

docker logs: myappink-kratos-1 | /go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:104 message:no resumable session found reason:The browser does not contain the necessary cookie to resume the session. This is a security violation and was blocked. Please clear your browser's cookies and cache and try again! status:Bad Request status_code:400] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip accept-language:it-IT,it;q=0.9,en-us;q=0.8,en;q=0.7 cdn-loop:cloudflare cf-connecting-ip:5.90.161.99 cf-ipcountry:IT cf-ray:82fd35a38e020df1-MXP cf-visitor:{"scheme":"https"} cookie:[_ga=GA1.1.1924500242.1701580320; cf_clearance=P7Wo1vRkA8ur_HRo3KlgpXgZwtRFahIlQdfVh3HHhos-1701621172-0-1-58eedbd0.6a6518d0.fef8430-0.2.1701621172; _ga_8JBJY7ZDMX=GS1.1.1701621172.2.1.1701621183.0.0.0; ory_kratos_continuity=MTcwMTYyMTE4NXxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fKr_oV2obzKFQXWUE0fZxzl4B9XUlU3Es7bl7psTxvTG; csrf_token_018b3276481ebb3ed7c9e3160df21aa52759e54263b68d3a9765a680f724dd55=EHU7yoFlPK59k9mbbLiG6H2NNKmJAtEtiVtgj4CP9PY=; ory_kratos_session=MTcwMTYyMTE4NnxELUZ5Z3J4blNTMi1qeDNNaFcxZkhKdm8wVFJ3QWtvRG5LcFFGODB0aTZLMEE3TXhVYUQ3M0F5enVKaGc1bVotLXhOaFVvTzI5MGVFdDdIclNUYUJXT3dqYnFWanNBUndkVFNsSFFFNmQwUlJXTW5lSlFmY1IwaWhLZWVXTHNNSUFaZGNIS1NUQnh5b085REFDSGdJUTN5SWUxZWF0N2hyanotLUdreG5tUVhSM1JGbF82Yndfc0IzcUVUaVJlYTBNdkFpNjBuZ1VuT0RoRXJKdTNtOW5Cc2R2WFNVZzZEWFR6TWk0NGN0bUNWUEVMMHBtV3lxbUNObmVDZ3lKcDFiN0htdWlMQTdPVzRsc3pLeXpIbWsxdz09fETWY7XB6vd7IBiLQORWE_bVOG1UBD7c5EbB4isfrn0M] referer:https://m.facebook.com/ sec-ch-ua:"Opera";v="103", " Not;A Brand";v="99", "OperaMobile";v="78", "Chromium";v="117" sec-ch-ua-mobile:?1 sec-ch-ua-platform:"Android" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Linux; Android 11; MI 9) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/117.0.5938.154 Mobile Safari/537.36 OPR/78.5.4143.75924 x-forwarded-for:5.90.161.99, 5.90.161.99 x-forwarded-proto:https x-real-ip:5.90.161.99] host:auth.myapp.ink method:GET path:/self-service/methods/oidc/callback/facebook query:code=AQAKDAS5NCNIJ_N7ve0O14lyRRFzJDM779P5N75Hu1hPrXIuL2ypEVuKJLuY-JeTTc1D4lmA0-Nk4keCVrTSxLkFCN_HEFzAo_2wF5pecyJNcRyS8VJHkCWiz_y0zvwCFnrUBehk9VKgtAeQlD4OfGUZ2hB2NYmavUXg8TLAEW9cyU3o0wYkSb0lpHkzw2NADRjPPUFxe-7qCIS_A1Ws-R5FJ48DrVrwtq2wdoXL6IsgfspM6AGVV2T-qVIYp_fMmJM-xRmCkGYXTh47-kmr6YAH72X8EIswWkA9fPwNs3DU1fogZxbVe2_ex3Kgs95LIyKBOiS46HxaCbX5auD8vfGrDlYIJOm29Yx_Kf6DyeiX0Oy_8X_HNNxL_Vw4Je5W5is&state=OGU0ZDBmYzMtMzQ0Ny00NTJkLTk5ZjMtNWFmM2Y5MGJmNzRmOv2vS5pZSEwxtlaGc_eb19c remote:127.0.0.1:51914 scheme:http] service_name=Ory Kratos service_version=v1.0.0 myappink-kratos-1 | time=2023-12-03T16:33:24Z level=error msg=An error occurred and is being forwarded to the error user interface. audience=application error=map[debug:key ory_kratos_oidc_auth_code_session does not exist in cookie: ory_kratos_continuity myappink-kratos-1 | github.com/ory/kratos/x.SessionGetString.func1 myappink-kratos-1 | /project/x/cookie.go:30 myappink-kratos-1 | github.com/ory/kratos/x.SessionGetString.func2 myappink-kratos-1 | /project/x/cookie.go:40 myappink-kratos-1 | github.com/gorilla/sessions.(CookieStore).NewExact myappink-kratos-1 | /go/pkg/mod/github.com/ory/sessions@v1.2.2-0.20220110165800-b09c17334dc2/store.go:158 myappink-kratos-1 | github.com/gorilla/sessions.(Registry).GetExact myappink-kratos-1 | /go/pkg/mod/github.com/ory/sessions@v1.2.2-0.20220110165800-b09c17334dc2/sessions.go:162 myappink-kratos-1 | github.com/gorilla/sessions.(CookieStore).GetExact myappink-kratos-1 | /go/pkg/mod/github.com/ory/sessions@v1.2.2-0.20220110165800-b09c17334dc2/store.go:112 myappink-kratos-1 | github.com/ory/kratos/x.SessionGetString myappink-kratos-1 | /project/x/cookie.go:39 myappink-kratos-1 | github.com/ory/kratos/continuity.(ManagerCookie).sid myappink-kratos-1 | /project/continuity/manager_cookie.go:100 myappink-kratos-1 | github.com/ory/kratos/continuity.(ManagerCookie).container myappink-kratos-1 | /project/continuity/manager_cookie.go:112 myappink-kratos-1 | github.com/ory/kratos/continuity.(ManagerCookie).Continue myappink-kratos-1 | /project/continuity/manager_cookie.go:67 myappink-kratos-1 | github.com/ory/kratos/selfservice/strategy/oidc.(Strategy).validateCallback myappink-kratos-1 | /project/selfservice/strategy/oidc/strategy.go:305 myappink-kratos-1 | github.com/ory/kratos/selfservice/strategy/oidc.(Strategy).handleCallback myappink-kratos-1 | /project/selfservice/strategy/oidc/strategy.go:377 myappink-kratos-1 | github.com/ory/kratos/selfservice/strategy.disabledWriter myappink-kratos-1 | /project/selfservice/strategy/handler.go:28 myappink-kratos-1 | github.com/ory/kratos/selfservice/strategy.IsDisabled.func1 myappink-kratos-1 | /project/selfservice/strategy/handler.go:33 myappink-kratos-1 | github.com/ory/kratos/x.NoCacheHandle.func1 myappink-kratos-1 | /project/x/nocache.go:21 myappink-kratos-1 | github.com/ory/kratos/x.NoCacheHandle.func1 myappink-kratos-1 | /project/x/nocache.go:21 myappink-kratos-1 | github.com/julienschmidt/httprouter.(Router).ServeHTTP myappink-kratos-1 | /go/pkg/mod/github.com/julienschmidt/httprouter@v1.3.0/router.go:387 myappink-kratos-1 | github.com/ory/nosurf.(CSRFHandler).handleSuccess myappink-kratos-1 | /go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:234 myappink-kratos-1 | github.com/ory/nosurf.(CSRFHandler).ServeHTTP myappink-kratos-1 | /go/pkg/mod/github.com/ory/nosurf@v1.2.7/handler.go:191 myappink-kratos-1 | github.com/urfave/negroni.Wrap.func1 myappink-kratos-1 | /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:46 myappink-kratos-1 | github.com/urfave/negroni.HandlerFunc.ServeHTTP myappink-kratos-1 | /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29 myappink-kratos-1 | github.com/urfave/negroni.middleware.ServeHTTP myappink-kratos-1 | /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38 myappink-kratos-1 | github.com/ory/kratos/x.glob..func1 myappink-kratos-1 | /project/x/clean_url.go:15 myappink-kratos-1 | github.com/urfave/negroni.HandlerFunc.ServeHTTP myappink-kratos-1 | /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:29 myappink-kratos-1 | github.com/urfave/negroni.middleware.ServeHTTP myappink-kratos-1 | /go/pkg/mod/github.com/urfave/negroni@v1.0.0/negroni.go:38 myappink-kratos-1 | net/http.HandlerFunc.ServeHTTP myappink-kratos-1 | /usr/local/go/src/net/http/server.go:2122 myappink-kratos-1 | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1 myappink-kratos-1 | /go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:284 myappink-kratos-1 | net/http.HandlerFunc.ServeHTTP myappink-kratos-1 | /usr/local/go/src/net/http/server.go:2122 myappink-kratos-1 | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1 myappink-kratos-1 | /go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:142 myappink-kratos-1 | net/http.HandlerFunc.ServeHTTP myappink-kratos-1 | /usr/local/go/src/net/http/server.go:2122 myappink-kratos-1 | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1 myappink-kratos-1 | /go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:92 myappink-kratos-1 | net/http.HandlerFunc.ServeHTTP myappink-kratos-1 | /usr/local/go/src/net/http/server.go:2122 myappink-kratos-1 | github.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2 myappink-kratos-1 | /go/pkg/mod/github.com/prometheus/client_golang@v1.13.0/prometheus/promhttp/instrument_server.go:104 message:no resumable session found reason:The browser does not contain the necessary cookie to resume the session. This is a security violation and was blocked. Please clear your browser's cookies and cache and try again! status:Bad Request status_code:400] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,/;q=0.8,application/signed-exchange;v=b3;q=0.7 accept-encoding:gzip accept-language:id-ID,id;q=0.9,en-US;q=0.8,en;q=0.7 cdn-loop:cloudflare cf-connecting-ip:2001:448a:1082:9fb4:b4e8:a38e:e954:272c cf-ipcountry:ID cf-ray:82fd361088706015-SIN cf-visitor:{"scheme":"https"} cookie:[cf_clearance=J3dPi7ZV7Ucy5kG.ym0sSP8BSfulVS7L4YKlrAGO2_8-1701620576-0-1-77440175.eadfe08a.20455e95-0.2.1701620576; _ga=GA1.1.1306375033.1701620575; csrf_token_018b3276481ebb3ed7c9e3160df21aa52759e54263b68d3a9765a680f724dd55=U+VHIpLnT8OQVgKoJ3ubVvCJunGFmGJkPvnTEuaDioE=; ory_kratos_continuity=MTcwMTYyMTE5NnxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fGsygNq_OmdAIWNmbxTzMyCmCJhQ2QifnE-3I6cw7Oi1; _ga_8JBJY7ZDMX=GS1.1.1701620574.1.1.1701621199.0.0.0] referer:https://accounts.google.com/ sec-ch-ua:"Google Chrome";v="119", "Chromium";v="119", "Not?A_Brand";v="24" sec-ch-ua-mobile:?1 sec-ch-ua-platform:"Android" sec-fetch-dest:document sec-fetch-mode:navigate sec-fetch-site:cross-site sec-fetch-user:?1 upgrade-insecure-requests:1 user-agent:Mozilla/5.0 (Linux; Android 10; K) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/119.0.0.0 Mobile Safari/537.36 x-forwarded-for:2001:448a:1082:9fb4:b4e8:a38e:e954:272c, 2001:448a:1082:9fb4:b4e8:a38e:e954:272c x-forwarded-proto:https x-real-ip:2001:448a:1082:9fb4:b4e8:a38e:e954:272c] host:auth.myapp.ink method:GET path:/self-service/methods/oidc/callback/google query:state=YzNmM2Y0NDMtZjNkOS00YWFlLWI4NTMtNjcxYjY4MjY2ZWE4Og4GN4_w00pZurzl-QG-ogY&code=4%2F0AfJohXluI4mC9izPRCY3WWC5XqSRnJEbNi3Ezg6W1ftfIaV9u-WxFhd22hqlv7goMzIF2Q&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+openid&authuser=2&prompt=none remote:127.0.0.1:55362 scheme:http] service_name=Ory Kratos service_version=v1.0.0 myappink-kratos-1 | time=2023-12-03T16:33:27Z level=error msg=An error occurred and is being forwarded to the error user interface. audience=application error=map[message:aborted registration hook execution] http_request=map[headers:map[accept:text/html,application/xhtml+xml,application/xml;q=0.9,/*;q=0.8 accept-encoding:gzip accept-language:en-US,en;q=0.9 cdn-loop:cloudflare cf-connecting-ip:2601:680:cc00:3340:f975:8df:ba8a:a974 cf-ipcountry:US cf-ray:82fd3601efd5ce48-SJC cf-visitor:{"scheme":"https"} cookie:[_ga_8JBJY7ZDMX=GS1.1.1701621167.1.1.1701621195.0.0.0; ory_kratos_continuity=MTcwMTYyMTE5NXxEdi1CQkFFQ180SUFBUkFCRUFBQVhfLUNBQUVHYzNSeWFXNW5EQ01BSVc5eWVWOXJjbUYwYjNOZmIybGtZMTloZFhSb1gyTnZaR1ZmYzJWemMybHZiZ1p6ZEhKcGJtY01KZ0FrTW1FNFpqVXdOVE10WXpJMU15MDBPRFJqTFdFd05ESXRZV1ZqTkRBeVlXRTVZalpqfOQxwJS60bQXIy1Jxcp-Wc-TJrZU1MnzeGvB9IHCAufq; _ga=GA1.1.143816976.1701621167; csrf_token_018b3276481ebb3ed7c9e3160df21aa52759e54263b68d3a9765a680f724dd55=h/0sb+EhMy/BAdnUbovpkxWO7Qoc5kXhxn8hXPGrchQ=; cf_clearance=Bvxn7J4RytzsyqEyXGrBvn5PZmiKMyO0MmCzjLRGt10-1701620839-0-1-e1871b73.bda53fa5.b6864493-0.2.1701620839] referer:https://accounts.google.com/ user-agent:Mozilla/5.0 (iPhone; CPU iPhone OS 16_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.3 Mobile/15E148 Safari/604.1 x-forwarded-for:2601:680:cc00:3340:f975:8df:ba8a:a974, 2601:680:cc00:3340:f975:8df:ba8a:a974 x-forwarded-proto:https x-real-ip:2601:680:cc00:3340:f975:8df:ba8a:a974] host:auth.myapp.ink method:GET path:/self-service/methods/oidc/callback/google query:state=ZmRlN2E4NzItNDM3YS00ZWU3LTgwYTYtOTZhOGE1NDNhNzg0Oj3BwObNTUpisbj8Yiwqwrw&code=4%2F0AfJohXngl2kH_5D1DMiqFVmT4tlaW7K0pd80OAVBi-cEq-1FFriMdY8lBx4skpFsJBcbHA&scope=email+profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.profile+https%3A%2F%2Fwww.googleapis.com%2Fauth%2Fuserinfo.email+openid&authuser=4&prompt=none remote:127.0.0.1:51914 scheme:http] service_name=Ory Kratos service_version=v1.0.0 myappink-kratos-1 | time=2023-12-03T16:33:52Z level=error msg=Webhook request failed audience=application duration=1.18235498s error=map[message:1 validation errors occurred: myappink-kratos-1 | (0) I[#/traits/username] S[] a webhook target returned an error] otel=map[span_id:0000000000000000 trace_id:00000000000000000000000000000000] service_name=Ory Kratos service_version=v1.0.0

Reproducing the bug

I can't reproduce this problem. But Ory is full of these logs.

Relevant log output

No response

Relevant configuration

No response

Version

v1.0.0

On which operating system are you observing this issue?

None

In which environment are you deploying?

None

Additional Context

No response

jonas-jonas commented 9 months ago

Did you also update "cookies.domain" setting?

meotimdihia commented 9 months ago

Did you also update "cookies.domain" setting?

yes, I did it, but the error happened randomly. And just with oidc login.