Strange behaviour when using client key and unleash session cookie #5086
Comments
|
Hey @erilor, From the information you've provided, I've attempted to reproduce the issue on my end. I set everything up similarly to your configuration. As shown in the screenshot I've attached, everything is running on the same host, just on different ports. After logging into the admin UI, I did observe that the unleash-session cookie is set. However, in my testing, this didn't affect my web app. The web app is consistently sending its Authorization header and, importantly, no cookies are included in the request header. This behavior is consistent with what's expected, as the web app should not be sending cookies with its requests in this context. Could you provide additional details regarding your setup to help us understand why cookies might be sent along with the request in your scenario? Looking forward to hearing from you! |
|
Hi @sjaanus ! That is weird, for me the cookie is passed with every request from JS. My cookie is set as Is it the same for you? With those settings it seems like it should be passed, right? I believe the attachment might have been missed? Or am I failing to see it somehow? Thanks for looking into this! |
|
Hey @erilor , this is how my setup looks like. Running JS app on the left. Frontend requests are being sent without coookie. On the bottom right you can see
|
|
Hi @sjaanus, Interesting, I realise now that I forgot to mention that we use a reverse proxy between the frontend and the backend(s). I tried it your way and in that case the cookie isn't sent for me either. I guess that makes this kind of an edge case, but it would be nice if the cookie was ignored if an API-key was in the request. |
|
Yes, I concur that this appears to be a corner case. Typically, one wouldn't run a reverse proxy and operate everything on localhost. I'll bring this to the team's attention, but I'll be closing this issue for now. |
|
That seems reasonable. But just to be clear: I wasn't running on localhost. Anyone will probably run in to this if they want to expose the unleash UI on the same domain as the the site that uses the toggles, if the site also uses a reverse proxy. I would imagine reverse proxies aren't that uncommon. So while not as general as I first thought I don't think it's THAT exotic =) |
Describe the bug
I was testing your product out and found something strange, perhaps a bug?
I was running the unleash docker container (5.5.6) and also served a web-app (from the same machine) using your JS-SDK and a client API-key. Everything works nicely and the front end app fetches toggles. But if I log in to the admin web from the same browser (so I get a unleash-session cookie), my front end app starts failing with status 401 ("Token was not valid"). If I remove the cookie the front end app starts working again.
It seems like the session cookie is used even when an client-key i sent in the Authorization header.
Steps to reproduce the bug
No response
Expected behavior
No response
Logs, error output, etc.
No response
Screenshots
No response
Additional context
No response
Unleash version
5.5.6
Subscription type
Open source
Hosting type
Self-hosted
SDK information (language and version)
JS-SDK
The text was updated successfully, but these errors were encountered: