Commenting here as it appears #5432 has moved to this issue now...

Commenting here as it appears #5432 has moved to this issue now...

You can also click "Subscribe" on the right-hand sidebar to get notifications, without needing to comment. :)

Commenting here as it appears #5432 has moved to this issue now...

You can also click "Subscribe" on the right-hand sidebar to get notifications, without needing to comment. :)

Yep, I'm aware. I provided logs in the last issue, so wanted you to know I'm still following all of this. Let me know if you need anything else.

@flotwig Since the thread continued here, here's the addition to my post in 5432 as you requested https://github.com/cypress-io/cypress/issues/5432#issuecomment-552785775. Please note that in our case we don't miss cookies, but we seem to be getting extra cookies that are messing things up.

The way I test our flow in Cypress:

1. Send a POST with cy.request to https://login.dev.domainAAA.dev.com/login-service
2. From the response parse csrf cookie(part of set-cookie array)

3. Send a POST with cy.request to https://hostname.dev.domainAAA.com/sessionRequest. In the request header add the parsed csrf cookie

   _Tried it in Electron but there this POST won't even get exectuted:

   We attempted to make an http request to this URL but the request failed without a       response. We received this error at the network level:  > Error: Parse Error_
   

4. In that response a redirect url is provided > https://example.dev.domainBBB.com/eyJhbetcetcSomeLongJwtToken

   _this is where the FE comes in aka visit the given url either with cypress or manual in browser:_

5. cy.visit('https://example.dev.domainBBB.com/eyJhbetcetcSomeLongJwtToken');
6. This url will redirect to https://example.dev.domainBBB.com/actualPageToTest
   This url gets a 504 since it's not a valid url.

Please see the screenshot I added with the difference we see with the set-cookie[Array], that doesn't happen in 3.4.1. It feels like these extra added cookies are messing up the original token, creating an invalid url.

Also I don't use a cy.setCookies command, everything is handled through that redirect url.

Via manual steps in browser

To reproduce your requested example, not via BE calls:

1. login at domainAAA.com
   token for domainAAA.com is set
2. create a session on domainBBB.com
   token for domainBBB is set
   So on both domains 'token' is set, they have different values. It looks like either one overwrites the other or that the token doesn't get properly build.

I'm using

Cypress 3.6.1
Chrome 78.0.3904.87
MacOs Mojave 10.14.6

I'm working on a PR to reproduce & fix this issue here: #5702

@flotwig one addition i forgot to mention, maybe it can help, maybe it won't. When putting the jwt url in jwt.io in the right situation (3.4.1) it will give the left result, in the wrong situation (3.6.1) it will give the right result. So typ:"JWT" is missing:

That's why we had the idea that somehow it gets build incorrectly.

@pete-om @codybarr @emijmker Question, are you attempting to send multiple cookies in ONE Set-Cookie line?

Like this:

Set-Cookie: foo=bar, baz=quux

Or this:

Set-Cookie: foo=bar; baz=quux

As opposed to this:

Set-Cookie: foo=bar
Set-Cookie: baz=quux

@pete-om I attempted to reproduce your specific setup by doing the following:

I set up an Express server with these handlers:

app.get("/", function(req, res) {
  res.type('html').end(req.cookies);
}

app.get("/account/login", function(req, res) {
  res.cookie('token1', 'foo').type('html').end('hi');
});

app.post("/account/login", function(req, res) {
  res.clearCookie('shouldclear')
  .cookie('token2', 'bar')
  .redirect(302, '/');
});

Then, I wrote this test:

it("sends cookies in redirects", function() {
  cy.setCookie('shouldclear', 'something');

  cy.request('/account/login');

  cy.request({
    method: 'POST',
    url: '/account/login'
  }).its('body').should('deep.include', {
    token1: 'foo',
    token2: 'bar'
  });
});

...and it passes in 3.6.1. Can you help me spot the difference between this and your setup so I can reproduce the problem?

@emijmker You might be experiencing an issue with URL encoding, is your URL really all alphanumeric like this?

https://example.dev.domainBBB.com/eyJhbetcetcSomeLongJwtToken

Or are there special characters in there? If so, can you share a URL that contains the special characters?

@flotwig It looks kinda right

Possible things to change:

• The setCookie line isn't needed
• The POST request has form:true, with account details in the request body
• Also possibly of note, the first cookie is cleared by attempting to set a cookie with no value 1 minute into the past. eg: if the time is 02:08:36 GMT, set-cookie will show:
  "ssocompany=; expires=Tue, 19-Nov-2019 02:07:36 GMT; path=/; secure; HttpOnly"

I dumped the POST cy.request xhr to console via cy.request(stuff).then(xhr => console.log(xhr)), here's a side-by-side, which might help?:

The response header details from the initial request, which shows them to be basically identical, with some minor ordering changes:

The request headers of the redirect request, showing differences that are causing the problems:

Interestingly, an ssocompany cookie gets passed in the redirect header in 3.4.1 for some reason, perhaps the browser set the cookie with a time in the past and it hasn't run any expiry cleanup code before it sent the followup request? BUT this is not present in 3.6.1!
So I re-ran my test by adding a cy.setCookie('ssocompany') before the login script, and the login request (in either 3.4.1 or 3.6.1) doesn't clear the ssocompany cookie! BUT if I breakpoint before the login script and manually add a ssocompany cookie _with the exact same details_, it does get cleared during the request...??? Does using cy.setCookie somehow override any attempts by the site to expire a matching cookie? I'm very very _very_ confused.

@flotwig
I don't use cy.setCookies at all. In my tests I do in this order:

1. in the beforeEach a Cypress.Cookies.preserveOnce to preserve specific cookies that are automatically set after visiting that JWT url.
2. in the before a cy.clearCookies (otherwise sessions will get mixed).
3. as described before with the login and creating a session, do a cy.visit('jwtUrl')

The JWT token after the hostname is alfanumeric and can contain [ . or - or -- or _ ] and ends with ?ci=somealfanumericagain. Hope this screenshot will help to give you an idea, it's a fragment of the JSON response we get after creating a session by calling a graphql endpoint and that's what I use to cy.visit(). The blocked parts are all alfanumeric.

We are also experiencing issues with authentication on 3.5.0+, however, we observe slightly different behaviour than reported here.

We perform login with a cy.request() to a login endpoint and the response contains only one cookie in the set-cookie header but that cookie is not being set so the app fails to redirect even though the request to the login endpoint was successful.

We're also staying always inside the same domain/subdomain.

@tozes Does your cookie have a Domain set?

@tozes we have the same problem. Only one ser-cookie header is received but it wont set it

I believe the problem is most likely #5656, if you're setting a custom Domain property that will most likely fail because of this bug.

@flotwig #5656 is exactly what we're experiencing, we authenticate against the auth endpoint of something.ourdomain.com but the cookie contains domain=.ourdomain.com;
I'll follow that issue instead then, thanks a lot! 🙏

Hey everyone, version 3.7.0 of Cypress has been released with some fixes for cookie behavior. Please try it out and see if it fixes your issue.

@flotwig no change here :(

Can confirm that this fixes the issue for me. Thank you for all your work on this!

Can confirm 3.7 solved my issues also! Thanks! :)

Hey again @flotwig - I've grabbed our product code this morning and started hacking around in it to try to isolate and reproduce the issue better locally, and it seems like while the first cookie does get processed and the second one doesn't, the existence of the multiple cookies was not the real issue for us :\

• I removed that first cookie, and only sending the auth token cookie through by itself _still failed_ ☹!!
• So now that multiple cookies was ruled out, I looked closer at the auth token and noticed that while our website runs on for eg https://website.app.localhost/ (or website.domain.io for prod, etc) the auth token cookie domain is set to .app.localhost (to cover other subdomains) -- now when I change the code so the cookie domain is website.app.localhost the authentication through cy.request works!
• I reintroduced the first cookie (to double check) and the test still passed with two cookies in the array, when the auth token cookie had the modified domain
• I tried changing the cookie domain to just .localhost and that failed as well
• The first cookie didn't have a domain set so I guess that's why that one was processing

So it appears this is another cookie domain issue and unfortunately has nothing to do with the number of cookies sent through. I'm guessing it's just if the cookie domain doesn't match the full hostname, it doesn't get processed?

Apologies for the bum steer, hopefully this new info helps with finding the root cause! Happy to help further if you need more info or want me to try something else.

We're still seeing the issue in 3.7.0, and have a setup the same as @pete-om. Changing the cookie domain to exactly match the URL fixes the problem. The (maybe) interesting thing is that we have an auto-retry plugin for some occasional timing fails, and the first retry actually succeeds. I'd also be happy to help further if necessary. Thanks!

@flotwig My issue is fixed as well in 3.7.0, all tests are fully running and green. Thanks for your quick replies and implementations!

@flotwig Someone opened what I believe to be a duplicate of this issue, including their har file with a request having a LOT of Set-Cookie headers. https://github.com/cypress-io/cypress/issues/5847#issue-531141806

When I use cy.setCookie for domain like 'http://client.loc:8088' everything works fine.
but when I use cy.setCookie on http://klient-selenium-one.smf.aaa.lan/ cookies are not created.

@bcholewinski This issue is about setting cookies via the Set-Cookie HTTP header, not cy.setCookie, please find an existing issue that matches what you're experiencing or open a new one if none exist.

Re-ran our tests after upgrading to 3.7.0 and I can also confirm that this appears to be fixed. Thanks all! 👏

Hi people still experiencing issues with cookies in Cypress 3.7.0,

I've isolated & fixed a bug introduced in 3.5.0 which makes it so that explicit cookie headers set on cy.visit and cy.request do not work as expected, please check out this issue to see if it matches what you are experiencing: https://github.com/cypress-io/cypress/issues/5894

For my particular circumstance I'm not explicitly setting cookies in the request header, it's an organic response from the server.

I am also experiencing the same issue as @pete-om in that I'm not explicitly setting a cookie header and simply following the same recipe from the Recipes here where I parse out the CSRF token from the HTML page and make a second post request to our login endpoint. It is this second request that yields a 419 response status code. When inspecting the request in the DevTools inside the test runner, it looks like the request _contains only a single cookie_, but should in-fact contain _two cookies_. This works perfectly fine in 3.4.1, however I have tried each version released since (3.5.x, 3.6.x, 3.7.0, and even 3.8.0 just now) to no avail.

I am experience the same issue as @pete-om in that I'm not explicitly setting a cookie header and simply following the same recipe from the Recipes here where I parse out the CSRF token from the HTML page and make a second post request to our login endpoint. It is this second request that yields a 419 response status code. When inspecting the request in the DevTools inside the test runner, it looks like the request _contains only a single cookie_, but should in-fact contain _two cookies_. This works perfectly fine in 3.4.1, however I have tried each version released since (3.5.x, 3.6.x, 3.7.0, and even 3.8.0 just now) to no avail.

I have absolutely the same issues. Even 3.8.0 does not resolve it.

3.8.0 is still broken for me as well. Please let me know how I can get you logs or whatever it takes to fix up the issue. We could even do a screen share if it would help.

@polga try to run with NODE_OPTIONS=--max-http-header-size=1000000 before cypress run

@sergiomap thanks for the suggestion. Doesn't seem to work, although I'm not certain I'm doing it correctly. Are you suggesting running the following:

NODE_OPTIONS=--max-http-header-size=1000000
./node_modules/.bin/cypress open

@polga try to do it in the same command, you are doing it in 2.

@polga try to do it in the same command, you are doing it in 2.

I have tried but still not luck, the error changes though.

@polga try to do it in the same command, you are doing it in 2.

Thanks. Doesn't seem to help unfortunately.

Hi guys, it would be super helpful if anyone could provide a minimum reproducible example that I can use to debug the problem. I've spent a lot of time trying to reproduce these issues from GitHub comments but have had no luck.

@polga @borecz @pete-om @brandonb927 Please provide a repo + test code that reproduces the issue. You can base it off cypress-test-tiny or build it from scratch, whatever is easiest.

fwiw, I'm having this issue in 3.8.0 as well. Multiple subdomains in my app, cookie only works for one.

@corwinstephen I am still looking for a way to reproduce this issue so it can be investigated. Do you have a reproducible example or a repo I can run? It would be massively helpful.

@flotwig I'll see if I can put something together, but in the mean time, it seems to happen when cookies are set using the leading dot (.domain.com), and if it helps, the issue is not present in 3.4.1, so whatever is causing it was introduced after that.

@corwinstephen Sounds good, thank you for the information. To clarify, you're having issues with Set-Cookie headers that use Domain=.something.com not working as expected in 3.8.0?

@flotwig yep that's correct, and also confirmed the issue is present in 3.7, 3.6, and 3.5

@corwinstephen There are tests that cover setting a cookie with Domain=.something.com, so it is probably not related to that, it is most likely something else.

Unfortunately I am pretty much out of guesses as to what it could be, so this issue is blocked until someone can share a reproducible example repo.

@flotwig the strange thing is that if I hardcode my cookie domain to have a subdomain, like app.something.com, it works.

I'd love to put something together, but for my situation it would take a lot of time to do. I'll see if I can chip away over the holidays, if no one does it sooner. Alternatively, I'd be happy to set up a screen share so you can see it occurring on my machine.

@polga same here, explicitly setting the cookie with a subdomain works

@flotwig Okay, some more detail on what's happening:

In 3.4.1, I make a cy.request to my login endpoint, and the result is a single cookie set with domain=.mydomain.com
In 3.8.0 the same request sets two cookies with the same name. One has domain .mydomain.com and the other mydomain.com. Subsequently, making a request to cy.getCookie('mycookiename') yields only the first one, which is not valid for my subdomain.

In my particular instance (Rails), I believe the invalid session on the subdomain is invalidating the entire session, causing both domains to be logged out.

No updates on this? I see no cookies related fixes in 3.8.2. I am still stuck with 3.4.1

@borecz Still want to fix this issue, but I have not been able to reproduce it despite several attempts. I am hoping someone can supply some code that reproduces the issue.

May I reach you out in private? I could share the code there.

On 13. Jan 2020, at 15:18, Zach Bloomquist notifications@github.com wrote:

@borecz https://github.com/borecz Still want to fix this issue, but I have not been able to reproduce it despite several attempts. I am hoping someone can supply some code that reproduces the issue.

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/cypress-io/cypress/issues/5688?email_source=notifications&email_token=ANS5YMVVUCAOW42XLSA5D33Q5RZ3PA5CNFSM4JM6OMT2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEIY3VCQ#issuecomment-573684362, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANS5YMQBQM2PQG5T4NZ7WDDQ5RZ3PANCNFSM4JM6OMTQ.

@borecz Sure, my email is on my GitHub profile.

@borecz were you guys able to connect on this?

Yes, we did. Zac has access to the working example.

On 17. Jan 2020, at 18:43, Stephen Elizabeth notifications@github.com wrote:

@borecz https://github.com/borecz were you guys able to connect on this?

—
You are receiving this because you were mentioned.
Reply to this email directly, view it on GitHub https://github.com/cypress-io/cypress/issues/5688?email_source=notifications&email_token=ANS5YMQ6PMLLQUZQH6Z6QCLQ6HU3PA5CNFSM4JM6OMT2YY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEJIOA7A#issuecomment-575725692, or unsubscribe https://github.com/notifications/unsubscribe-auth/ANS5YMRB3DZ5262TMT2RP5DQ6HU3PANCNFSM4JM6OMTQ.

@borecz awesome. Thanks for biting the bullet on that one

Any news on this?

@flotwig is there still activity on this?

@corwinstephen I have been unable to devote a lot of time to this lately, working on getting other things out the door. But this is my priority as soon as 4.0 is out.

An update here. I managed to get this working by grabbing the cookies set via cy.request, storing the value, then using cy.clearCookie to remove both cookies (the proper one and the duplicate), and then resetting just the proper cookie using cy.setCookie with the stored value.

Any update on progress for this, @flotwig ? Cheers

@pete-om The repo @borecz shared did not seem to reproduce this issue, so I am still unable to make any progress as I do not have an example of the bug to work with.

If nobody can provide a reproduction still, here is a list of locations to look at to try and debug this issue, if anyone wants to try to fix this themselves and open a PR:

• Functions responsible for setting/getting cookies during cy.request and cy.visit: https://github.com/cypress-io/cypress/blob/e0b31cb2b12bbae3165ee01f22edb768c737529f/packages/server/lib/request.js#L511-L599
• Central cookie automation code: https://github.com/cypress-io/cypress/blob/e0b31cb2b12bbae3165ee01f22edb768c737529f/packages/server/lib/automation/cookies.js#L1-L178
• Electron + Chrome code for massaging cookies for the Chrome DevTools Protocol: https://github.com/cypress-io/cypress/blob/e0b31cb2b12bbae3165ee01f22edb768c737529f/packages/server/lib/browsers/cdp_automation.ts#L1-L208
• Firefox code for massaging cookies for WebExtensions: https://github.com/cypress-io/cypress/blob/e0b31cb2b12bbae3165ee01f22edb768c737529f/packages/extension/app/background.js#L1-L231
• Most of the cookies e2e tests (run by running the 2_cookies_spec e2e test): https://github.com/cypress-io/cypress/blob/e0b31cb2b12bbae3165ee01f22edb768c737529f/packages/server/test/support/fixtures/projects/e2e/cypress/integration/cookies_spec_baseurl.coffee#L1-L326

@flotwig @pete-om @borecz fwiw my issues here were resolved in 4.3.0

🤦‍♂️ I'd been scanning release notes every update but managed to miss https://github.com/cypress-io/cypress/issues/6628 in the list for 4.3.0, and that sounds exactly like my problem as described in this thread above. Have updated to latest and my issues are now resolved too. Thanks @flotwig @corwinstephen

Nice!

Closing this issue since @pete-om was the OP. Anyone who is still experiencing cookie issues in the latest version of Cypress, please search the repo for the issue or open a new issue if one does not exist.