Strange behaviour when using client key and unleash session cookie

Question

Strange behaviour when using client key and unleash session cookie

erilor opened this issue a year ago · 6 comments

Describe the bug

I was testing your product out and found something strange, perhaps a bug?

I was running the unleash docker container (5.5.6) and also served a web-app (from the same machine) using your JS-SDK and a client API-key. Everything works nicely and the front end app fetches toggles. But if I log in to the admin web from the same browser (so I get a unleash-session cookie), my front end app starts failing with status 401 ("Token was not valid"). If I remove the cookie the front end app starts working again.

It seems like the session cookie is used even when an client-key i sent in the Authorization header.

Steps to reproduce the bug

No response

Expected behavior

No response

Logs, error output, etc.

No response

Screenshots

No response

Additional context

No response

Unleash version

5.5.6

Subscription type

Open source

Hosting type

Self-hosted

SDK information (language and version)

JS-SDK

Answer 1 · 2023-10-19T12:16:38.000Z

Hey @erilor,

From the information you've provided, I've attempted to reproduce the issue on my end. I set everything up similarly to your configuration. As shown in the screenshot I've attached, everything is running on the same host, just on different ports.

After logging into the admin UI, I did observe that the unleash-session cookie is set. However, in my testing, this didn't affect my web app. The web app is consistently sending its Authorization header and, importantly, no cookies are included in the request header. This behavior is consistent with what's expected, as the web app should not be sending cookies with its requests in this context.

Could you provide additional details regarding your setup to help us understand why cookies might be sent along with the request in your scenario?

Looking forward to hearing from you!

Answer 2 · 2023-10-19T15:03:49.000Z

Hi @sjaanus !

That is weird, for me the cookie is passed with every request from JS. My cookie is set as
HostOnly:true
HttpOnly:true
Secure:false
SameSite:Lax
path:"/"

Is it the same for you? With those settings it seems like it should be passed, right?

I believe the attachment might have been missed? Or am I failing to see it somehow?

Thanks for looking into this!

Answer 3 · 2023-10-23T07:18:28.000Z

Hey @erilor , this is how my setup looks like.

Running JS app on the left. Frontend requests are being sent without coookie. On the bottom right you can see unleash-session set in cookie store.

Answer 4 · 2023-10-23T14:14:41.000Z

Hi @sjaanus,

Interesting, I realise now that I forgot to mention that we use a reverse proxy between the frontend and the backend(s). I tried it your way and in that case the cookie isn't sent for me either.

I guess that makes this kind of an edge case, but it would be nice if the cookie was ignored if an API-key was in the request.

Answer 5 · 2023-10-26T06:27:30.000Z

Yes, I concur that this appears to be a corner case. Typically, one wouldn't run a reverse proxy and operate everything on localhost.

I'll bring this to the team's attention, but I'll be closing this issue for now.

Answer 6 · 2023-10-26T13:51:01.000Z

That seems reasonable.

But just to be clear: I wasn't running on localhost. Anyone will probably run in to this if they want to expose the unleash UI on the same domain as the the site that uses the toggles, if the site also uses a reverse proxy. I would imagine reverse proxies aren't that uncommon.

So while not as general as I first thought I don't think it's THAT exotic =)