Closed vodolaz095 closed 7 years ago
i mean currently the code deployed on heroky is by pushes from my local PC. And it works We need either
merge this PR to make clean deploy. OR
fix cloudflare
uncomment line with secure: isProtectedByCloudflare
for cookies and add extra push to this PR.
merge this PR.
i tried to mitigate this issue in this way:
[vodolaz095@ivory ~]$ curl -v http://tacticalmastery.com/
* Trying 104.20.194.45...
* Connected to tacticalmastery.com (104.20.194.45) port 80 (#0)
> GET / HTTP/1.1
> Host: tacticalmastery.com
> User-Agent: curl/7.47.1
> Accept: */*
>
< HTTP/1.1 301 Moved Permanently
< Date: Sat, 01 Apr 2017 13:02:13 GMT
< Transfer-Encoding: chunked
< Connection: keep-alive
< Set-Cookie: __cfduid=d40d90deb12dd4f0b845b9cad42c9707f1491051733; expires=Sun, 01-Apr-18 13:02:13 GMT; path=/; domain=.tacticalmastery.com; HttpOnly
< Cache-Control: max-age=3600
< Expires: Sat, 01 Apr 2017 14:02:13 GMT
< Location: https://tacticalmastery.com/
< X-Content-Type-Options: nosniff
< Server: cloudflare-nginx
< CF-RAY: 348bbdd394884e24-DME
<
* Connection #0 to host tacticalmastery.com left intact
when uses opens site via HTTP (not S), he is instantly redirected to HTTPS version of site, without any important cookies (!!!!) being send via HTTP protocol
There was quite strange issues reported in sentry https://sentry.io/starlight-group/node-api/issues/245313329/
Corresponding loggly entry
It turned out that heroku redis database have ran out of memory. I connected to it via redis-cli, and see
This lines explains it all:
used_memory_human:25.02M
used_memory_lua_human:37.00K
maxmemory_human:25.00M
I prayed to Sergius_of_Radonezh, and started research.
It turned out, that the database was cluttered with initialized, but unused entries of sessions. I researched site, and found, that PHPSESSID cooke was not set. So express-session created all data in redis on each request, but user have not received the cookie with session, and have not used it. But site was working, because mobile browses usually do not use cookies.
I researched more, and found, that in cookie enabled browsers, the PHPSESSID cookie was not set.
In code the PHPSESSID cookie is secured one, it is used when application is working via HTTPS, not HTTP.
And if application is used via HTTP, the cookie is not send to user.
Previously, we had similiar issues, when cloudflare was working with heroku via HTTP, not HTTPS - because there was some issues with SSL certs installed in application in heroku settings by @asharma-ror .
Probably it have repeated - https://dashboard.heroku.com/apps/flash2dev/settings.
As half measures, i made cookie of PHPSESSID to be send as not secure, until @asharma-ror fix cloudflare issues with interaction with heroku via SSL
This change is