In a brand new Rails 5.2.2 app attempting to communicate with a Phoenix 1.4.0 (Cowboy 2.7.0) app I was unable to get this plug to work. After double and triple checking I had the correct environment variables I started to try and figure out where the problem might be.

In message_verifier.ex the verify function looks like it attempts to split a cookie value of something like abcdefgh--abcdef(2 segments). However mine had 3 segments, eg. abcdefgh--abcdef--abcdef.

I downgraded to Rails 5.0.0 and everything immediately started working so I'm guessing it must be a problem with the latest Rails version.

Has anyone else experienced the same issue?

Using (at least) Phoenix 1.3, I cannot get the way to write into the session effectively.

At the moment I'm able to read the Rails session correctly, but nothing I write on the session is finally written in the cookie.

I've just put a test plug to print in console the content opf the session, and everything written in Rails appears, but not the things written in Phoenix. As expected, that avoids also the correct work of CSRF protection (as the key is stored in session).

Any ideas want can be happening?

My config:

  plug Plug.Session,
    store: PlugRailsCookieSessionStore,
    key: "_myapp_session",
    domain: '.acutario.dev',
    secure: true,
    signing_with_salt: true,
    signing_salt: "signing salt",
    encrypt: true,
    encryption_salt: "encryption salt",
    key_iterations: 1000,
    key_length: 64,
    key_digest: :sha,
    serializer: Poison

Thanks!

When I share a session created in Phoenix with my Rails 4.2 app I get the following exception in my views when calling form_authenticity_token or csrf_meta_tags. Any ideas?

nil can't be coerced into Fixnum

comes from this line:

vendor/bundle/ruby/2.3.0/gems/actionpack-4.2.8/lib/action_controller/metal/request_forgery_protection.rb:321

def xor_byte_strings(s1, s2)
  s1.bytes.zip(s2.bytes).map { |(c1,c2)| c1 ^ c2 }.pack('c*')
end

Problem

In Rails 7.1 (which bumps Rack from 2.2.8 to 3.0.9.1 and rack-session to 2.0.0) the cookies are not compatible with Rails 7.0. When I copy in Chrome from Tools - Application tab - Storage section - Cookies the encrypted content of a cookie created in Rails 7.1, make a git checkout to the previous commit where I am on Rails 7.0 and paste the cookie - it is not recognized. But if I do the same between Rails 7.0 and Rails 6.0 it is recognized. Same happens between Rails 7.1 and Phoenix using plug_rails_cookie_session_store, except that the cookies are normally read and used when transitioning from Rails 7.1. to Phoenix, but then when I click on a link back to the Rails 7.1 app - the cookies are not recognized - so it is only the put(conn, _sid, term, opts) that does not work properly, while the get() and init() are fine.

Moreover Rails 7.1 puts the "unrecognized" cookies into the encrypted "message" (cookies[_rails][message][_rails][message]... etc.), so when the user clicks multiple times to switch from Phx to Rails back and forth - the message becomes longer and longer and soon Rails raises ActionDispatch::Cookies::CookieOverflow.

Attempts to solve

I tried 7.1 with older versons of Rack/Rack-sesson, but it did not work.

The :sha -> :sha256 change is done for both 7.0 and 7.1. :sha is only for 6.0 and 6.1. Anyway, since the get() func works, the encryption should not be the problem, but some kind of formatting I guess.

Current bad solution

Revert back to Rails 7.0

Related issue

Probably related to this issue - rails/rails#48195 . But I could not find the "[" prefix as described or any other solution for Rails 7.1.

Hi, mix test fail,

I run

mix deps.update
mix test

......

1. test gets and sets custom serialized session cookie (PlugRailsCookieSessionStoreTest)
   test/plug_rails_cookie_session_store_test.exs:175
   Assertion with == failed
   code: conn(:get, "/") |> recycle_cookies(conn) |> custom_serialize_conn() |> get_session(:foo) == "bar"
   lhs: nil
   rhs: "bar"
   stacktrace:
   test/plug_rails_cookie_session_store_test.exs:180: (test)

................

Finished in 0.2 seconds
23 tests, 1 failure

Does this library permit to generate cookies like in rails if settings are the same?

Hello.

Your README says:

Since Elixir can't (yet!) read Marshal format...

This is no longer true, I've implemented Ruby Marshal format in Elixir https://github.com/gaynetdinov/ex_marshal

I'd be happy if you give it a try. Feedback is welcome.
Thanks!

Would be great to see support for Cowboy 2

I followed the read me to setup ExMarshal but couldnt get it working.

I understand that Rails 3.2.22 is signed but not encrypted, I set up my phoenix endpoint according to README but doesn't seem to work.

If any one got this working can you please share some insight on configuration?

Thanks

Has anyone been able to get this working with LiveView or have any recommendations as to how I might debug this issue...

I am starting with https://github.com/dersnek/chirp as a working application

I get the following errors after setting everything up per the instructions... it seems like everything is as it should be

[debug] LiveView session was misconfigured or the user token is outdated.

1) Ensure your session configuration in your endpoint is in a module attribute:

    @session_options [
      ...
    ]

2) Change the `plug Plug.Session` to use said attribute:

    plug Plug.Session, @session_options

3) Also pass the `@session_options` to your LiveView socket:

    socket "/live", Phoenix.LiveView.Socket,
      websocket: [connect_info: [session: @session_options]]

4) Define the CSRF meta tag inside the `<head>` tag in your layout:

    <%= csrf_meta_tag() %>

5) Pass it forward in your app.js:

    let csrfToken = document.querySelector("meta[name='csrf-token']").getAttribute("content");
    let liveSocket = new LiveSocket("/live", Socket, {params: {_csrf_token: csrfToken}});

[info] REFUSED CONNECTION TO Phoenix.LiveView.Socket in 452µs
  Transport: :websocket
  Serializer: Phoenix.Socket.V2.JSONSerializer
  Parameters: %{"_csrf_token" => "Kzo_DhAfHjhVMH19RkUJfxEHICQcIQdqfNqFJyuA9ADH26DLUuWfnbQG", "vsn" => "2.0.0"}

My endpoint.ex file has the following sections:

  @session_options [
    store: PlugRailsCookieSessionStore,
    key: "_chirp_key",
    secure: true,
    signing_with_salt: true,
    signing_salt: "signed cookie",
    encrypt: true,
    encryption_salt: "signed encrypted cookie",
    key_iterations: 1000,
    key_length: 64,
    key_digest: :sha,
    serializer: Poison,
  ]
  ]
  socket "/socket", ChirpWeb.UserSocket,
    websocket: true,
    longpoll: false

  socket "/live", Phoenix.LiveView.Socket, websocket: [ connect_info: [session: @session_options]]

  plug Plug.MethodOverride
  plug Plug.Head
  plug Plug.Session, @session_options
  plug ChirpWeb.Router