Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookies and multiple response headers aren't playing well together #249

Open
hiteshjasani opened this issue May 18, 2020 · 1 comment
Open

Cookies and multiple response headers aren't playing well together #249

hiteshjasani opened this issue May 18, 2020 · 1 comment
Labels
Bug

Comments

@hiteshjasani
Copy link
Contributor

hiteshjasani commented May 18, 2020
edited

If you have a single response header, are sending json and are updating a cookie then everything works fine today. If you are trying to send multiple response headers (for ex. including a CORS header), sending json and updating a cookie ... well the cookie gets dropped in the response.

Let me described what works first and then I'll get into what doesn't.

Working today

If I have a route that looks like this pseudo code.

proc isLoggedIn(request: Request): bool =
  hasKey(request.cookies, COOKIE_KEY) and
  http_sessions.hasValidSession(request.cookies[COOKIE_KEY])

template continueUserSession(request: Request): typed =
  # Do some work to calculate new expire date/time, add/update sessions, etc.
  setCookie(COOKIE_KEY, sessionId, expireDT, Lax, false, false, DEV_SERVER, "/")

get "/foo":
  if isLoggedIn(request):
    continueUserSesssion(request)
    let myjson = doWork()
    resp($myjson, "application/json")

Calling that from curl gets the following headers

HTTP/1.1 200 OK
set-cookie: mycookie=5ec2f562ef9dc91850f1679f; Domain=localhost; Path=/; Expires=Tue, 19 May 2020 20:51:46 GMT; SameSite=Lax
content-type: application/json
Content-Length: 18

So we get the cookie that we're expecting.

What doesn't work

Let's say we want to allow CORS requests. This means that in addition to the application/json header, we want to return access-control-allow-origin: * as well. Oh and we still want to update cookies to continue sessions. So our resp() call changes.

# for all intents and purposes, isLoggedIn() is the same as above

# continueUserSession() is the same as above

get "/foo":
  if isLoggedIn(request):
    continueUserSesssion(request)
    let myjson = doWork()
    resp(Http200, [("Content-Type": "application/json"), ("Access-Control-Allow-Origin": "*")], $myjson)

We get our multiple headers in the response, but it no longer includes the cookie header. Somebody silently ate the cookie instead of passing it along.

HTTP/1.1 200 OK
content-type: application/json
access-control-allow-origin: *
Content-Length: 18
@hiteshjasani
Copy link
Contributor Author

May want to review #224 as well when deciding on a fix.

@dom96 dom96 added the Bug label Jun 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
Bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@hiteshjasani @dom96