[5.1.3] changing `session=>[name=>'uf4']` config key breaks logins

StrykeSlammerII commented 2 weeks ago

Affected sprinkle or package

userfrosting/sprinkle-core,userfrosting/sprinkle-admin,userfrosting/sprinkle-account

UserFrosting or package Version

5.1.3

Debug Data

UserFrosting Environnement Information
======================================

 -------------------- ------------------------------------------- 
  Framework version    5.1.3                                      
  OS Name              Linux                                      
  Main Sprinkle        My Application                             
  Main Sprinkle Path   /home/strike/Frosting/UF5-cookieTest/app/  
  Environment mode     default                                    
  PHP Version          8.3.12                                     
  Node Version         v22.10.0                                   
  NPM Version          10.9.0                                     
 -------------------- ------------------------------------------- 

Loaded Sprinkles
================

 ------------------ --------------------------------------- --------------------------------------------------------------------------------------- 
  Sprinkle           Namespace                               Path                                                                                   
 ------------------ --------------------------------------- --------------------------------------------------------------------------------------- 
  Core Sprinkle      UserFrosting\Sprinkle\Core\Core         /home/strike/Frosting/UF5-cookieTest/vendor/userfrosting/sprinkle-core/app/src/../     
  Account Sprinkle   UserFrosting\Sprinkle\Account\Account   /home/strike/Frosting/UF5-cookieTest/vendor/userfrosting/sprinkle-account/app/src/../  
  AdminLTE Theme     UserFrosting\Theme\AdminLTE\AdminLTE    /home/strike/Frosting/UF5-cookieTest/vendor/userfrosting/theme-adminlte/app/src/../    
  Admin Sprinkle     UserFrosting\Sprinkle\Admin\Admin       /home/strike/Frosting/UF5-cookieTest/vendor/userfrosting/sprinkle-admin/app/src/../    
  My Application     UserFrosting\App\MyApp                  /home/strike/Frosting/UF5-cookieTest/app/src/../                                       
 ------------------ --------------------------------------- --------------------------------------------------------------------------------------- 

Database config
===============

 ------------ ------------------------------------------------------------------- 
  CONNECTION   sqlite                                                             
 ------------ ------------------------------------------------------------------- 
  DRIVER       sqlite                                                             
  HOST                                                                            
  PORT                                                                            
  DATABASE     /home/strike/Frosting/UF5-cookieTest/app/database/userfrosting.db  
  USERNAME                                                                        
  PASSWORD                                                                        
 ------------ ------------------------------------------------------------------- 

Testing database connection...
==============================

 [OK] Database connection successful

Chat Discussion (optional)

https://chat.userfrosting.com/channel/support?msg=tXdQbAnn4sS8CKTGa

Description

After overwriting the session=>[name=>'uf4'] config key in a custom app/config file, logging in only works if "Keep me signed in" box is checked. If unchecked, the login drops back to http://localhost:8080/account/sign-in?redirect=%2Fdashboard with a blue "Login required" alert message.

After investigation, logging in then back out (with "Keep me signed in" checked) clears the base uf5 cookie--but before the session name is changed, logging out does not clear the uf4 cookie. I don't know enough to be certain which is intended, but the inconsistency may be a hint.

Only other hint I can offer: I noticed issues logging in to my UF5 dev "recently" (within past month?) so it's probably not a longstanding issue.

Steps To Reproduce

1) Spin up fresh UF5 install --I've only tested SQLite db. Issue occurs with or without email setup, under all accounts whether root or not. Here we test with no email, using root account only. 2) Clear existing cookies if necessary (be sure to start fresh here as well) 3) Login to main UF page as root account (localhost:8080), confirm uf4 cookie is added and login (without "remember me") works normally 4) Logout, log back in with "remember me", confirm uf4-rememberme cookie is also added 5) Logout, confirm uf4 cookie remains but uf4-rememberme is removed 6) Add/edit app/config/default.php to change the session name:

<?php
declare(strict_types=1);
return [
    'session' => [
        'name'          => 'uf5',
    ],
];

7) Login now fails unless "Keep me signed in" box is checked! 8) Logging in with "Keep me signed in" and back out now clears both uf5 and uf5-rememberme cookies... but uf4 cookie remains!

lcharette commented 1 week ago

I tried to replicate this issue and failed. While the old "UF4" Cookie was still present (should be normal), login and remember me was working fine with the UF5 name. So it must be something else.

I was using a local install on my Mac with Safari. Were you using Docker by any chances?

I'll close this issue for now, we can reopen if you find more info on this.

StrykeSlammerII commented 1 week ago

Local install under Linux, with Firefox.

I'll post again if I find out anything new, but for now I'm going to just use the UF4 session name as a workaround. Thanks for checking.

userfrosting / UserFrosting