Confirmed 3.5.0 also broke our SSO on multiple different auth types. Had to revert back to 3.4.1

hmm, in this project when I open Cypress 3.5.0 I get still the old version of Electron in the list of browsers, which is really really weird

When opening Electron 61 it for real shows in the log

cypress:server:browsers opening browser { displayName: 'Electron', family: 'electron', info: 'Electron is the default browser that comes with Cypress. This is the browser that runs in headless mode. Selecting this browser is useful when debugging. The version number indicates the underlying Chromium version that Electron uses.', isChosen: true, majorVersion: '61', name: 'electron', path: '', version: '61.0.3163.100', isHeaded: true, isHeadless: false }

yeahs, seems the process shows Electron at 61 for some reason

ok, I had alpha version of 3.5.0 on my machine, now getting the right one

Passing test in 3.4.1

Failing test in 3.5.0

Notice 4 requests instead of 3

The logs in 3.5.0 (I have added DEBUG=sso to this recipe)

GET /__cypress/tests?p=cypress/integration/logging-in-single-sign-on-spec.js-945 200 537.970 ms - -
  sso in /login +0ms
  sso checking username "jane.lane" and password "password123 +1ms
  sso username and password match, redirecting to "http://localhost:7074/set_token" +0ms
  sso redirecting to 'http://localhost:7074/set_token?id_token=abc123def456' +1ms
POST /login?redirectTo=http%3A%2F%2Flocalhost%3A7074%2Fset_token 302 17.207 ms - 75
  sso /set_token, query token is abc123def456 +5s
  sso redirecting to /dashboard +1ms
GET /set_token?id_token=abc123def456 302 3.774 ms - 32
  sso nope, redirecting to /unauthorized +14ms
GET /dashboard 302 0.537 ms - 35
  sso rendering unauthorized +10ms
GET /unauthorized 200 1.080 ms - 293

Around GET /set_token call

GET /set_token?id_token=abc123def456 302 4.440 ms - 32
  sso ensureLoggedIn middleware, headers [ 'Connection', 'keep-alive', 'user-agent', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Cypress/3.5.0 Chrome/73.0.3683.121 Electron/5.0.10 Safari/537.36', 'accept', '*/*', 'accept-encoding', 'gzip, deflate', 'referer', 'http://localhost:7074/set_token?id_token=abc123def456', 'host', 'localhost:7074' ] session Session { cookie: { path: '/', _expires: null, originalMaxAge: null, httpOnly: true } } +16ms
  sso nope, redirecting to /unauthorized +3ms

The logs for 3.4.1, the same test "can authenticate with cy.request"

GET /__cypress/tests?p=cypress/integration/logging-in-single-sign-on-spec.js-057 200 955.854 ms - -
  sso in /login +0ms
  sso checking username "jane.lane" and password "password123 +2ms
  sso username and password match, redirecting to "http://localhost:7074/set_token" +0ms
  sso redirecting to 'http://localhost:7074/set_token?id_token=abc123def456' +1ms
POST /login?redirectTo=http%3A%2F%2Flocalhost%3A7074%2Fset_token 302 19.954 ms - 75
  sso /set_token, query token is abc123def456 +21s
  sso redirecting to /dashboard +0ms
GET /set_token?id_token=abc123def456 302 3.992 ms - 32
  sso session has id token +13ms
  sso rendering dashboard +0ms
GET /dashboard 200 1.891 ms - 155
  sso session has id token +82ms
  sso rendering dashboard +0ms
GET /dashboard 200 1.346 ms - 155

with more details around GET /set_token call

GET /set_token?id_token=abc123def456 302 4.511 ms - 32
  sso ensureLoggedIn middleware, headers [ 'Connection', 'keep-alive', 'user-agent', 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_6) AppleWebKit/537.36 (KHTML, like Gecko) Cypress/3.4.1 Chrome/61.0.3163.100 Electron/2.0.18 Safari/537.36', 'accept', '*/*', 'accept-encoding', 'gzip, deflate', 'referer', 'http://localhost:7074/set_token?id_token=abc123def456', 'host', 'localhost:7074', 'cookie', 'cypress-session-cookie=s%3Aw87luiUkOIcbQPvug2Mx6EcI-xsw_HXg.S7%2F5tUA4EMVHDnDKmUChebs%2FJGQHmIXaapaRBKIrHEs' ] session Session { cookie: { path: '/', _expires: null, originalMaxAge: null, httpOnly: true }, id_token: 'abc123def456' } +13ms
  sso session has id token +2ms
  sso rendering dashboard +0ms

@flotwig seems like a cookie is not being sent in 3.5.0 after redirect

In 3.4.1

Cypress sets all cookies from request response headers set-cookie array

In 3.5.0

Cypress sets only first cookie element from request response headers set-cookie array

Can confirm: on our automated testing environment we had 30+ tests that succeeded. and used beforeEach to authenticate() with adfs and & before hook for Cypress.Cookies.preserveOnce('cookie_name');

After updating to 3.5.0 -> they all fail *
*Resetting to 3.4.1 -> all pass again

There's a PR open to fix this here: https://github.com/cypress-io/cypress/pull/5455

Heads up for anyone else encountering this, until a patch comes out I'm working around this issue by manually iterating through the set-cookies array, parsing all the key/values out, and calling cy.setCookie(name, value, etcetc) on each cookie

The code for this is done in cypress-io/cypress#5455, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

Are we certain this was fixed? It's in the changelog for 3.6.0 but I'm still having issues with our company's login command, keeps bringing us back to the login page. It appears that certain essential cookies are being set in 3.4.1 but not 3.5.0 or 3.6.0.

Not sure if it helps, but our auth has multiple redirects, all of which are apparently followed but cookies aren't being set along the way.

In 3.4.1

Cypress sets all cookies from request response headers set-cookie array

In 3.5.0

Cypress sets only first cookie element from request response headers set-cookie array

it reproduces on 3.6 also

@codybarr @skylock So both of you are still experiencing the issue even after upgrading to 3.6.0?

We did definitely fix an issue with setting cookies on redirects in 3.6.0, although it's possible that you guys are experiencing a different issue.

Can you try running your tests with debug logs enabled, and share the complete logs from your session here? It will show some more information which we can use to get to the root of the issue.

• On Linux/macOS: DEBUG=cypress:* cypress ...
• On Windows: npx cross-env DEBUG=cypress:* cypress ...

Note: please make sure you scrub any sensitive data (production credentials, proxy URLs...) before sharing your logs.

Hey @flotwig Thanks for getting back so quick. I've attached logs for a simple test run in 3.4.1 and 3.6.0. I've scrubbed a bunch of data, but hopefully it's still usable.

Let me know if you need anything else.

3.4.1-output.txt
3.6.0-output.txt

@flotwig I'm also seeing the same problem with 3.6.0

Our login page returns a set-cookie array of length 2 in the response header during a 302 redirect that 1) tries to expire an existing cookie, and 2) sets an auth token cookie

• If a test navigates to the login page, fills the form out manually and submits, both cookies are processed correctly
• If I do a cy.request() to the endpoint that handles the login (ie: programmatic login), only the first cookie from the set-cookie array in the resulting 302 result is processed.

To expand on that last point, when I watch cypress running this test in UI with dev tools open, I can see the first cookie getting expired as expected, but the auth token cookie never gets set.

In 3.4.1 (and earlier), it works fine.

3.6.0.txt
3.4.1.txt
^ scrubbed data, let me know if there's anything else I can do to help. Thanks!!

We'll try to get a patch release out soon to fix this.

I can confirm, even with 3.6.0. The tests that pass in 3.4.1 (using cookies), all still fail in 3.6.0..

Released in 3.6.0.

Thanks @brian-mann. Should this issue be reopened until the issue is resolved?

@brian-mann Same issue here so +1 on reopening. Tests with login fail on 3.6.0 and pass in 3.4.1. I see something about a release in 3.6.0 3 days ago, but when I download cypress again from https://docs.cypress.io/guides/getting-started/installing-cypress.html#Direct-download, I still get the 31st October version. Can this issue be reopened please? Thanks!

Reopening since there are still some bugs with cookies + redirects. There is a PR open that should fix the issues people here are having: #5478

The code for this is done in cypress-io/cypress#5478, but has yet to be released.
We'll update this issue and reference the changelog when it's released.

Released in 3.6.1.

@brian-mann I've tried the 3.6.1 version but still facing the same problem, so forced to stick to 3.4.1.

We do a BE call that generates a url with jwt token that redirects us to the final url we can visit and start testing FE from there.

https://hostname.com/somename/eyJhbetcetcSomeLongJwtToken
redirects to
https://hostname.com/pagetotest

In all versions after 3.4.1 something seems to happen to those jwt-urls so they're not valid and giving us a 504 when trying to visit them. The call to the BE in both cases gives us a 200 and produces a url.

The only difference I've been able to spot is in the response headers when selecting that call in the left Cypress menu and looking into dev tools:
In 3.4.1 no set-cookie
In 3.6.1 a set-cookie: Array(8)
My assumption is that those new (?) cookies (csrf, token) are messing up with the original ones.

Does this give any clues? Hope to hear back from you, many thanks!

Hey @emijmker -

In Cypress 3.6.1 we fixed some cookie issues. Specifically, cookie within a redirect would not always be set on the correct domain.

Now, if you follow a redirect flow like this:

• www.example.com - sets foo = bar and redirects to auth.example.com
• auth.example.com - sets quuz = quux and redirects to www.example.com/cb
• www.example.com/cb - sets bing = baz and returns HTTP 200

You'll end up with these cookies:

• on www.example.com
  
  
  
  • foo = bar
  
  
  • quuz = quux
  
  
• on auth.example.com
  
  
  
  • bing = baz
  
  

Since this isn't working for you, do you think you could clearly describe the expected redirect flow + final cookies that you expect to be set, like I've done above? That will enable me to create a test case that I can use to figure out why it's not working as you expect.

Still not fixed for me either.

Without a workaround, my authentication script still fails in 3.6.1. Cypress still appears to only process the first cookie in the set-cookie array. Everything works as expected in 3.4.1

The auth flow goes like this:

• cy.request (get) to /account/login
  
  
  
  • this sets token1 in a cookie
  
  
  • the body contains token2 as a hidden parameter in a form
  
  
• cy.request (post) to /account/login with form:true, and a body of token2, username, password
  
  
  
  • this results in a 302 redirect to /, with two cookies in set-cookie:
  
  
  • the first expires an sso cookie, which usually doesn't exist (but doesn't make a difference to this bug if it does exist)
  
  
  • the second sets the session auth token -- this part is failing in 3.5.0+. It exists in set-cookie, otherwise my workaround wouldn't work (manually doing a cy.setcookie on everything in the set-cookie bit), it's just not being set during the cy.request
  
  

So what we should be left with after all the above is two cookies: token1 and auth token. What I get as of 3.5.0+ is just token1 (from the original get request) and no auth token.

And we're not going outside our subdomain at any point so the cookies all have the same domain.

Note: if I cy.visit('/account/login'), type the username and password in and submit the form, the redirect sets all the cookies correctly and lets cypress log in, this method has never stopped working. It's only doing it via cy.request that's failing.

Hope this helps, let me know if there's anything else I can do :)

I have similar issue authenticating using cy.request() too
Works fine in 3.4.1
In 3.6.1 it works in Electron but not in Chrome 78, desired cookies are not set after cy.request()

@pete-om Thanks a ton for sharing these details! I will get to work on reproducing this and tracking down the issue. These details are awesome.

FYI, I moved your comment to an issue so we can track this more clearly, as this thread is getting messy. New issue: #5688 You might want to watch it to receive updates.

I'm also still experiencing issues on 3.6.1... :/

Also experiencing issues on 3.6.1

Keep going back to 3.4.1

Should this be reopened? I can confirm it doesn't work in 3.6.1 but it works in 3.4.1

+1, also having issues on 3.6.1

5688 is being used to track another known cookie bug in 3.6.1, the specific bug from this issue has been fixed.