Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Login as User not working with wildcard defaultCookieDomain #5799

Open
rsanchez opened this issue Mar 17, 2020 · 10 comments
Open

Login as User not working with wildcard defaultCookieDomain #5799

rsanchez opened this issue Mar 17, 2020 · 10 comments
Assignees

Comments

@rsanchez
Copy link

@rsanchez rsanchez commented Mar 17, 2020

Description

The Login as User feature does not log you in on one of our production sites. It redirects you to the front-end but you appear logged out.

This site is multi-site and has to work on www.domain.com and another subdomain. When we changed the defaultCookieDomain config to be the domain with a leading dot (.domain.com), this allowed front-end logins to work across both subdomains, but the Login as User feature stopped working.

The site is hosted on AWS EC2 with a load balancer and two Craft servers.

Our staging site is also on EC2, but with no load balancer. We do NOT set the defaultCookieDomain setting on staging, and the Login as User feature works on staging.

Additional info

  • Craft version: Craft Pro 3.3.18.4
  • PHP version: 7.3.12
  • Database driver & version: MySQL 5.7.26
@brandonkelly

This comment has been minimized.

Copy link
Member

@brandonkelly brandonkelly commented Mar 17, 2020

We’ve seen this and similar session-related issues crop up when the defaultCookieDomain setting is changed. Can you try to reproduce in an icnognito/private window? If it works there, then this is a browser caching issue.

@rsanchez

This comment has been minimized.

Copy link
Author

@rsanchez rsanchez commented Mar 20, 2020

Doesn't work in incognito either. Another note: ELB has Sticky sessions enabled.

@angrybrad

This comment has been minimized.

Copy link
Member

@angrybrad angrybrad commented Mar 23, 2020

I'm not able to reproduce this locally. From your staging site, can you try setting the defaultCookieDomain to rule out load balancer/sticky session shenanigans?

@rsanchez

This comment has been minimized.

Copy link
Author

@rsanchez rsanchez commented Mar 24, 2020

This is a good idea. I'll have to change the staging domain(s) to test with defaultCookieDomain so I'll work on that and report back here. Thank you!

@rsanchez

This comment has been minimized.

Copy link
Author

@rsanchez rsanchez commented Mar 25, 2020

OK we've updated our staging site to have the same subdomain scheme as production and to use defaultCookieDomain setting, and the feature works fine. So it seems that we've isolated the issue to scenarios with both a Load Balancer and defaultCookieDomain setting.

@angrybrad

This comment has been minimized.

Copy link
Member

@angrybrad angrybrad commented Mar 25, 2020

Progress... does staging also have sticky sessions enabled? If so and you disable it, does the behavior change?

@rsanchez

This comment has been minimized.

Copy link
Author

@rsanchez rsanchez commented Mar 27, 2020

Staging does not have a load balancer and therefore no sticky sessions--it's a single instance. So it seems like my problem has to do with the load balanced scenario. Any ideas?

@angrybrad

This comment has been minimized.

Copy link
Member

@angrybrad angrybrad commented Mar 27, 2020

Gah, my bad.

FWIW, we have defaultCookieDomain set on id.craftcms.com to a wildcard. It's in a load-balanced environment without sticky sessions and the "login as a user" functionality works fine, which is why I was wondering if sticky sessions were the culprit.

Is anything useful being logged in Craft's logs when it happens?

@rsanchez

This comment has been minimized.

Copy link
Author

@rsanchez rsanchez commented Mar 31, 2020

Not much useful in the logs. I think as far as Craft is concerned, there is no error, it does its job of looking up the user, creating a session and setting a cookie.

I do have logs of the request/responses headers in this flow. Maybe a clue in here?

Admin Login as User Request

method: POST
authority: www.mysite.com
scheme: https
path: /admin/users/87
content-length: 618
cache-control: max-age=0
origin: https://www.mysite.com
upgrade-insecure-requests: 1
content-type: application/x-www-form-urlencoded
user-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_14_6) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/80.0.3987.132 Safari/537.36
sec-fetch-dest: document
accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.9
sec-fetch-site: same-origin
sec-fetch-mode: navigate
sec-fetch-user: ?1
referer: https://www.mysite.com/admin/users/87
accept-encoding: gzip, deflate, br
accept-language: en-US,en;q=0.9,es-ES;q=0.8,es;q=0.7
cookie: CraftSessionId=e679ef321dacb261478e3f47aa536235
cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=5476bb63631656681337b32ef86049f250d880dd142029513b85c7141c628632a%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_identity%22%3Bi%3A1%3Bs%3A254%3A%22%5B%2273%22%2C%22%5B%5C%228TS_fR9zJeN9VME6Nb-S-5tL9XZ4aa6C3ufArQYLZ1soRospUnc_p_nCoYsUu3h-7zZR7S_delQGwOzAfmVEBG0ghTXGoDkuGYVU%5C%22%2Cnull%2C%5C%22Mozilla%2F5.0+%28Macintosh%3B+Intel+Mac+OS+X+10_14_6%29+AppleWebKit%2F537.36+%28KHTML%2C+like+Gecko%29+Chrome%2F80.0.3987.132+Safari%2F537.36%5C%22%5D%22%2C1209600%5D%22%3B%7D
cookie: CRAFT_CSRF_TOKEN=f3017ffb902f70edeac139ab4f61a5f4f1f45cbf144f814fea6efbaae63925fda%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A209%3A%22SNWni8S5m4ciQUo8fUpCxbaJdLbbNbHu1sgx0H_P%7C6b6d4b309f44607ace1a9b5999e11cc647f494ae6db98bb9caead4c8d30d4530SNWni8S5m4ciQUo8fUpCxbaJdLbbNbHu1sgx0H_P%7C73%7C%242y%2413%24LVW9FdAgbz6q7qLmbdCxCOUhHEwOOjAH0Shmq0MKg.v6pNALtNlvW%22%3B%7D
cookie: 1031b8c41dfff97a311a7ac99863bdc5_username=e4dadd110094e7beee78fb889597f3994709ae977078b4615a3c05f2d2c88b4aa%3A2%3A%7Bi%3A0%3Bs%3A41%3A%221031b8c41dfff97a311a7ac99863bdc5_username%22%3Bi%3A1%3Bs%3A16%3A%22rob%40happycog.com%22%3B%7D
cookie: AWSALB=40NQk05kzL4TLQJ4VRI1AHQs7p9TwQ4udrswTLX6Kuyd+cnH6NmhR123WkgTadm7dEkS9ejvw1OagR2P4/30EeK5au6HkSapp8VH1YWPIcKgt/pwhIILlYtSdtOY
cookie: AWSALBCORS=40NQk05kzL4TLQJ4VRI1AHQs7p9TwQ4udrswTLX6Kuyd+cnH6NmhR123WkgTadm7dEkS9ejvw1OagR2P4/30EeK5au6HkSapp8VH1YWPIcKgt/pwhIILlYtSdtOY

CRAFT_CSRF_TOKEN=5IeXGZXDLnotqrXn3tvQeRJmirsQjzDVUsm_b5HH8T0cyvosiPcdzBMPx_RBXHQciBSLx8a-1Vtao-5BOGQCGvtM_rH5wHCAiFNyfLLvWIbQa-MeMFvQSnmZBYHuFj3H8ShjmQ6kMyrtPr-BjC3FjN7V8H3dtum7xRezDzvn2ivzpBwwp7mZQFpczQVomM1YVpM8K7RKvwipzeQtlBU99xl11gM0QkAHBJrXnOycULpiloktygSOiOQa2tMCD8zt_tq8iJLz_Ze7iTe5vAaGnSC3ycB3_Pt9T0Ce1o6Pjr9BdDP6-GjtUZ82hd0N36W5SC25nVS4v0KcbzmlwiVoFi-4Le3z8ojlbDvAi3BZXWAvwnXH1MjxE-O-Z0UahtZs57Vdh3wJY7IoQPpk5I9yCaTJTFCpapAGGd1t8dbiRP3f67jEHrTnvNT9ceZ_eJ-4SrnAUFLF9_sIL22-YhCohQcG7wsYyG6NcY381wnYQ2rOXxGXZFY4dnYz65vxjvgTwiHZ3EWCQfnHq3CbmzJcpICP6vHD9d2LocvHdvXISOrrdw%3D%3D&userId=87&action=users%2Fimpersonate

Admin Login as User Response

status: 302
date: Tue, 17 Mar 2020 14:21:41 GMT
content-type: text/html; charset=UTF-8
location: https://www.mysite.com/
server: nginx
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: CraftSessionId=ba0601c06c9404dd69ba8c0df996b99e; path=/; domain=.mysite.com; secure; HttpOnly
x-powered-by: Craft Commerce,Craft CMS
x-robots-tag: none
x-frame-options: SAMEORIGIN
x-content-type-options: nosniff
set-cookie: 1031b8c41dfff97a311a7ac99863bdc5_identity=deleted; expires=Thu, 01-Jan-1970 00:00:01 GMT; Max-Age=0; path=/; domain=.mysite.com; secure; HttpOnly
set-cookie: CRAFT_CSRF_TOKEN=7be3390d4bbccb71f072a1efded34f7778c4a83599bd0916c212797399846566a%3A2%3A%7Bi%3A0%3Bs%3A16%3A%22CRAFT_CSRF_TOKEN%22%3Bi%3A1%3Bs%3A149%3A%22SNWni8S5m4ciQUo8fUpCxbaJdLbbNbHu1sgx0H_P%7C868d3bf556f0434ec145363a83880979ae6a467ff04d5ef576a1626e2a23fae9SNWni8S5m4ciQUo8fUpCxbaJdLbbNbHu1sgx0H_P%7C87%7C%22%3B%7D; path=/; domain=.mysite.com; secure; HttpOnly
strict-transport-security: max-age=15768000; includeSubDomains; preload
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade

After Login As User Response

status: 200
date: Tue, 17 Mar 2020 14:21:41 GMT
content-type: text/html; charset=UTF-8
set-cookie: AWSALB=zvz6ROWeJ7auzpU+FYHi81qsjic/7LIWxhiDYYP46/4yFWDOi3NjD9QdLEbgzzh3uj91mmlnq6QWeYAm8kq6Mb8ZbO2+YJWodvHXp++FWw2bQfuheJ1vfpuZ6sr6; Expires=Tue, 24 Mar 2020 14:21:41 GMT; Path=/
set-cookie: AWSALBCORS=zvz6ROWeJ7auzpU+FYHi81qsjic/7LIWxhiDYYP46/4yFWDOi3NjD9QdLEbgzzh3uj91mmlnq6QWeYAm8kq6Mb8ZbO2+YJWodvHXp++FWw2bQfuheJ1vfpuZ6sr6; Expires=Tue, 24 Mar 2020 14:21:41 GMT; Path=/; SameSite=None; Secure
server: nginx
vary: Accept-Encoding
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
x-powered-by: Craft Commerce,Craft CMS
link: <https://www.googletagmanager.com>; rel=dns-prefetch;,<https://www.googletagmanager.com>; rel=preconnect; crossorigin;
link: <https://www.mysite.com/>; rel='canonical'
x-robots-tag: all
referrer-policy: no-referrer-when-downgrade
strict-transport-security: max-age=15768000; includeSubDomains; preload
x-frame-options: SAMEORIGIN
x-xss-protection: 1; mode=block
x-content-type-options: nosniff
referrer-policy: no-referrer-when-downgrade
content-encoding: gzip

<REDACTED FRONTEND HTML HERE>
@angrybrad

This comment has been minimized.

Copy link
Member

@angrybrad angrybrad commented Mar 31, 2020

Looks like the AWSALB and AWSALBCORS (assuming those are used for sticky sessions) cookie values change... maybe something is deleting that cookie, causing a new one to be sent, which bounces you to a new server where you lose the PHP session?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Linked pull requests

Successfully merging a pull request may close this issue.

None yet
3 participants
You can’t perform that action at this time.