New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"AuthStateMissing: Session value state missing" on logins with set session cookies #534
Comments
How to repeat:
Same here with Pyramid framework. |
This is also a problem if you are using a partial pipeline, for example during email validation. If the user tries to complete the sign up from a different device so the session is simply not available. Also if you have a partial pipeline and the user uses a second backend to login while the first is partially complete the partial for the first is removed. This mean if they come back later to to complete the validation through the email link it will no longer be valid. |
As far as I can tell every version post 0.2.0 has this problem. I tried upgrading to the latest and noticed this issue. |
Having the same issue here when logging through mobile |
Any update on this? I have encountered this similar issue, and it raises |
It happened to me that trying to access with: http://localhost/complete/oauth2test?state=vkTqtm0 works, but: http://localhost/complete/oauth2test/?state=vkTqtm0EsOj8E5oTDg5bGMabIgl172A0 did not. Once the trailing '/' (oauth2test/) was removed, the error disappeared. |
@ericson-cepeda, interesting and thanks for the tip 👍 |
While debugging this adding traces to the server log, I noticed the following sequence of events WRT session state, during Google OAuth2 interactions. (Function names refer to
(The value is returned by
It is FTR, earlier in the server log lines there are Python strings for SQL; they seem to lack quotes around the values to be compared (but I'm no expert in these ORM matters!),
|
@ericson-cepeda, by removing the trailing slash on |
FTR, there are TRAILING_SLASH (urls.py), and APPEND_SLASH (Django, in case). Maybe a stackoverflow discussion on redirects applies. |
@TeckFA I hit the same problem, same sympton as you observed. Digging deeper, I found that cookies are NOT port specific , so if you run both OAuth client and provider on the same host, when being redirected to the provider to authenticate, it will overwrite the |
@pellaeon OMG, thanks a lot!!! You saved my day! |
I am seeing the same issue on my side as well:
I have tried disabling the trailing slash with the TRAILING_SLASH parameter but the result is the same. |
I am hitting this as well, but I don't know how to act on the information that @pellaeon provides: This is a single Django instance on a single machine, on the same port, so I have a "client" page on
I click this, and then run through the google auth process, where google redirects to:
While the initial redirect clearly has a state value, that disappears somewhere:
No amount of adding or removing trailing slashes seems to have any effect on this, and this happens every time, not intermittently |
There was an error that made |
I just discovered that adding "SESSION_COOKIE_SECURE = True" can start this error happening. Obviously that's pilot error - me telling the site not to accept session cookies unless over HTTPS but trying to use HTTP anyway. But I imagine it would be hard to diagnose if I hadn't just changed just this one setting (in fact I came looking for a more complete answer anyway). |
Thanks @lisad, this was my issue! |
@lisad is that a thing you might be able to file PR-fix for? Sounds like a good thing to generate a logged warning for (since user error isn't a true error, but a warning message to help user figure out they were the problem is super important) |
@lisad Applied your solution still getting "AuthStateMissing: Session value state missing". How did you solve it in production server? |
Struggled with the exact problem for days, turned out that reason for missing state was caused by the caching. We had Django's LocMemCache on use (django.core.cache.backends.locmem.LocMemCache), changed it to MemcachedCache (django.core.cache.backends.memcached.MemcachedCache) and the problem disappeared. |
@AnttiVirtanen , I'm using django.core.cache.backends.memcached.MemcachedCache as our caching Server. still, the issue persists |
@pnija Well that's fairly strange. Are you also using session based caching? And if so, which session engine? In case you are using django.contrib.sessions.backends.cache that might cause the problem too, quoted from django documentation "... session data may not be persistent". |
@AnttiVirtanen i'm using "django.contrib.sessions.backends.cached_db" as our session engine |
Is there any update on this issue? |
I have exactly the same issue. I am using Memcached in production and I have SESSION_COOKIE_SECURE = True. |
I also had this problem. Solved it by adding "SOCIAL_AUTH_REDIRECT_IS_HTTPS = True" in my settings.py file, since my configuration is using nginx to redirect to HTTPS. I found this answer only by reading the documentation here: https://python-social-auth-docs.readthedocs.io/en/latest/configuration/settings.html |
We had that kind of problem as well. After a long investigation, we found that those errors should occur in some of the cases. We found out the some of our users, are sharing the already generated When those users succesffully entered thier authetication details they been redirected back to our site and My suggestion is to catch the |
Another thing to try if you are seeing the In my case, I only saw the error on Safari upon the redirect in the last leg of Oauth. The weirdest part was that I could refresh the page and the error would go away. Upon further digging, I realized Safari wasn't sending any cookies on the redirect, but would send cookies when I hit refresh (so the cookies were set correctly, just not being sent). I found the SESSION_COOKIE_SAMESITE setting which, by default, will strip your cookies on that redirect, and thus Django cannot find your session. |
I was able to solve the issue by running an "Empty Cache and Hard Reload" in Google Chrome (https://www.thewindowsclub.com/empty-cache-hard-reload-chrome) |
I'm having this same issue but I'm not sure how setting @zain did changing the |
It did abolish all my problems. I recently discovered that the likely culprit was a bug in Safari. There’s some details here: https://code.djangoproject.com/ticket/30250 |
Thanks @zain, I will give it a shot. I realize it's just the session cookie, I missed that earlier. |
Hello everyone, thanks for the awesome work you do, this library is great. |
Hi I was getting AuthAlreadyAssociated error when 2 gmail accounts were saved in the browser. For example when you click your login with google button and you are redirected to google's site and asked which email you want to log in with. In this case, when I selected one of the accounts i would get the AuthAlreadyAssociated error. To fix this, I tried closing current session before logging in new user. Now I'm getting the AuthStateMissing error. I've tried everything suggested here but the problem persists in our https prod environment. Anyone able to solve this recently? 🙏 |
How are you doing that @johndavidmullen ? It should work fine if you're logging out the user first before trying to login with the other in the same browser. |
Hello. I am facing the same problem. up on debugging i came across a function called self.get_session_state() inside social_core.backends.oauth.py Thank you :) |
When client asks for a redirect to azureAd stratagy: <social_django.strategy.DjangoStrategy object at 0x7fe4dbc29be0> |
For some reason, I had |
If you are running both in the same host, you can set different |
I'm working to integrate Facebook and Google OAuth2 into a site that already has working login using contrib.auth. I'm now stuck with a situation where I will receive a
AuthStateMissing
for both Google-Oauth2 and Facebook. The only way to successfully log in with those services is to wipe out my site cookie prior to clicking login. If I do that I can login once. Then if I try to login again I'll receive anotherAuthStateMissing
. I've checked past issues and the site is on a subdomain of a TLD, the callback urls are correct.The traceback:
My relevant settings:
The errors only trigger once I am sent back to my site. So it doesn't appear to be related to either Google or Facebook.
The text was updated successfully, but these errors were encountered: