Comments (22)
const server = new Hapi.Server({
connections: {
state: {
// If your cookie format is not RFC 6265, set this param to false.
strictHeader: false
}
}
});
from cookie.
Since you're using try
you're expecting to access your resource, without being logged in?
from cookie.
I'm using try
because the page simply has some additional functionality when the user is logged in. When I log in, shut down my server, wait some time, and then restart my server, I receive the error above even though I set the key in Redis for 3 days and I set the cookie validity for 3 days. I do not understand why the clearInvalid
key is not clearing the Bad cookie value
error and just continuing on to the page without authentication.
from cookie.
clearInvalid
should be called even though the error reponse is returned. What happens if you hit this route without a cookie? Can you share the route config?
from cookie.
If I delete all of my cookies (_distillery, sid) and hit the route, I see the page as an unauthenticated user.
The most recent page I saw this on was my hapijs/hapi-swagger documentation page, which is configured to use the default try
authentication mode and the following configuration:
server.register {
register: require("hapi-swagger")
options:
basePath: server.info.uri
apiVersion: 2
info:
title: "Docs"
description: "docs"
contact: "[email protected]"
},(err) ->
throw err if err?
Sorry I can't provide a better route config example, this is very hard to reproduce and I have not found a way to reliably do so as of yet. The haps-swagger route is simply the most recent one to have this response in memory.
from cookie.
Can you test this without the cache part? Need to know if the validateFunc
is part of the problem.
from cookie.
So you want just callback(null,true)
in the validateFunc?
from cookie.
I just ran a test where I did a reds FLUSHALL from the cache, removing all traces of cookies from the server session cache and the cookie was successfully dumped from the client without throwing an error, so I do not think it is an issue with the cache.
I have also tried removing just the _distillery or sid cookies from my client because they seem to have different expiration times, but only having one of those doesn't seem to affect behavior either.
I've also tried shutting down my reds/mongo instances to see if it was a connection issue where a connection would drop, however my server handles those cases successfully.
from cookie.
@tjsail33 For the test of the validateFunc
it may be best for there to test a successful login as well as an unsuccessful login. So returning callback(null, true)
wouldn't be sufficient. But it's an option.
from cookie.
Okay, new development. It actually happens when i change from my old express application (cookie name format "app_name:environment") to the new hapi branch I am working from. I receive this error until I delete all of the cookies for the old application version. How can I prevent this freak out from happening when unknown cookie names are detected?
from cookie.
Are you sure you didn't have a cookie named 'sid'
from your old application? hapi-auth-cookie
will only be looking for the cookie named in your config.
from cookie.
I do, however shouldn't clearInvalid clear out this old invalid cookie value?
If I delete just the sid
cookie and leave the app:development
cookie, the error persists. There seems to be an issue somewhere when a cookie is present that should not be.
from cookie.
Is app:development
the cookie name? Or is the cookie name app
and the value is development
?
from cookie.
app:development
is the cookie name. the value is akin to the value of an sid
cookie.
from cookie.
Doing some testing earlier, hapijs\statehood won't allow us to assign cookies with colons in their name. When setting that cookie I get the following error, Error: Invalid cookie name
.
I'd have to assume that you're going to experience a problem when you are sending cookies which have colons in their name. Can you confirm that you only get this error when you have the app:development
cookie is being sent?
@hueniverse Should cookie names with :
in them be allowed? I can't find anything in a RFC that says they can't.
from cookie.
So the interesting part is i'm not trying to send the cookie from Hapi. it just pre-exists in my localhost session, so it gets sent with the request to the server. Hapi shouldn't even be paying attention to that cookie as far as I can tell, because I don't utilize that nomenclature anymore.
from cookie.
Hapi is going to pay attention to any cookie which is sent in a request.
from cookie.
And yes, I can confirm that I only receive the error when I send a cookie with a :
. I have not tried other special characters, however the sid
from the old server does not cause this error.
from cookie.
Closing for now. Feel free to open an issue in Statehood if you would like, but I'll wait for comments from @hueniverse first.
from cookie.
@tjsail33 you need to set the default cookie settings (or better just the one you are having problems with) to allow invalid cookies as described in https://github.com/hapijs/hapi/blob/master/API.md#serverstatename-options for strictHeader
.
from cookie.
@HelloYie This is incredible, setting strictHeader
to false
resolve my issue as well.
I couldn't enter any route protected by this plugin. After some investigation I found out, that the problem was caused by cookie setted by me in my other project. I was running them on separate ports (3000
for hapi, 8001
for other project), but I was using the same domain - localhost
.
EDIT: Well, not exactly - my problem was something else. After some more investigating I've noticed, that I am saving json'like string, which (apparently) is against RFC 6265 format. The problem lies in other project, but still - good to know!
from cookie.
This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.
from cookie.
Related Issues (20)
- After upgrading from 9.1.0 to 10.0.0 on hapi 18.1.0 getting strange behaviour for plugin HOT 2
- request.auth.credentials is null after setting request.cookieAuth.set({ id: users.id }); HOT 3
- Change module namespace HOT 1
- Update to README HOT 3
- Bug in readme.md (example code) HOT 2
- Very long password can break cookies HOT 2
- Server-side-only session attributes to avoid cookies exceed size HOT 2
- Action required: Greenkeeper could not be activated 🚨 HOT 1
- Update deps HOT 1
- Update joi HOT 1
- Only node 12
- Non system error in validateFunc will be swallowed HOT 1
- Document requirement for cookie path when using paths other than /login HOT 2
- validateFunc function not called when i load my react application with webserver (Hapi js) inside Iframe
- hapi js social login session management HOT 1
- How to Return cookie value from cookie_jar file as string
- Use two different cookies for different consumer services
- Does Boom.unauthorized in validate method cause HAPI handler to slow down? HOT 1
- Support for Non-401 Error Codes from the validateFunc HOT 2
- Version 12.0.0 breaking changes? HOT 3
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from cookie.