Invalid cookie value about cookie HOT 22 CLOSED

const server = new Hapi.Server({
  connections: {
    state: {
      // If your cookie format is not RFC 6265, set this param to false.
      strictHeader: false    
    }
  }
});

from cookie.

Since you're using try you're expecting to access your resource, without being logged in?

from cookie.

I'm using try because the page simply has some additional functionality when the user is logged in. When I log in, shut down my server, wait some time, and then restart my server, I receive the error above even though I set the key in Redis for 3 days and I set the cookie validity for 3 days. I do not understand why the clearInvalid key is not clearing the Bad cookie value error and just continuing on to the page without authentication.

from cookie.

clearInvalid should be called even though the error reponse is returned. What happens if you hit this route without a cookie? Can you share the route config?

from cookie.

If I delete all of my cookies (_distillery, sid) and hit the route, I see the page as an unauthenticated user.

The most recent page I saw this on was my hapijs/hapi-swagger documentation page, which is configured to use the default try authentication mode and the following configuration:

server.register {
    register: require("hapi-swagger")
    options: 
        basePath: server.info.uri
        apiVersion: 2
        info:
            title: "Docs"
            description: "docs"
            contact: "[email protected]"
    },(err) ->
        throw err if err?

Sorry I can't provide a better route config example, this is very hard to reproduce and I have not found a way to reliably do so as of yet. The haps-swagger route is simply the most recent one to have this response in memory.

from cookie.

Can you test this without the cache part? Need to know if the validateFunc is part of the problem.

from cookie.

So you want just callback(null,true) in the validateFunc?

from cookie.

I just ran a test where I did a reds FLUSHALL from the cache, removing all traces of cookies from the server session cache and the cookie was successfully dumped from the client without throwing an error, so I do not think it is an issue with the cache.

I have also tried removing just the _distillery or sid cookies from my client because they seem to have different expiration times, but only having one of those doesn't seem to affect behavior either.

I've also tried shutting down my reds/mongo instances to see if it was a connection issue where a connection would drop, however my server handles those cases successfully.

from cookie.

@tjsail33 For the test of the validateFunc it may be best for there to test a successful login as well as an unsuccessful login. So returning callback(null, true) wouldn't be sufficient. But it's an option.

from cookie.

Okay, new development. It actually happens when i change from my old express application (cookie name format "app_name:environment") to the new hapi branch I am working from. I receive this error until I delete all of the cookies for the old application version. How can I prevent this freak out from happening when unknown cookie names are detected?

from cookie.

Are you sure you didn't have a cookie named 'sid' from your old application? hapi-auth-cookie will only be looking for the cookie named in your config.

from cookie.

I do, however shouldn't clearInvalid clear out this old invalid cookie value?

If I delete just the sid cookie and leave the app:development cookie, the error persists. There seems to be an issue somewhere when a cookie is present that should not be.

from cookie.

Is app:development the cookie name? Or is the cookie name app and the value is development?

from cookie.

app:development is the cookie name. the value is akin to the value of an sid cookie.

from cookie.

Doing some testing earlier, hapijs\statehood won't allow us to assign cookies with colons in their name. When setting that cookie I get the following error, Error: Invalid cookie name.

I'd have to assume that you're going to experience a problem when you are sending cookies which have colons in their name. Can you confirm that you only get this error when you have the app:development cookie is being sent?

@hueniverse Should cookie names with : in them be allowed? I can't find anything in a RFC that says they can't.

from cookie.

So the interesting part is i'm not trying to send the cookie from Hapi. it just pre-exists in my localhost session, so it gets sent with the request to the server. Hapi shouldn't even be paying attention to that cookie as far as I can tell, because I don't utilize that nomenclature anymore.

from cookie.

Hapi is going to pay attention to any cookie which is sent in a request.

from cookie.

And yes, I can confirm that I only receive the error when I send a cookie with a :. I have not tried other special characters, however the sid from the old server does not cause this error.

from cookie.

Closing for now. Feel free to open an issue in Statehood if you would like, but I'll wait for comments from @hueniverse first.

from cookie.

@tjsail33 you need to set the default cookie settings (or better just the one you are having problems with) to allow invalid cookies as described in https://github.com/hapijs/hapi/blob/master/API.md#serverstatename-options for strictHeader.

from cookie.

@HelloYie This is incredible, setting strictHeader to false resolve my issue as well.

I couldn't enter any route protected by this plugin. After some investigation I found out, that the problem was caused by cookie setted by me in my other project. I was running them on separate ports (3000 for hapi, 8001 for other project), but I was using the same domain - localhost.

EDIT: Well, not exactly - my problem was something else. After some more investigating I've noticed, that I am saving json'like string, which (apparently) is against RFC 6265 format. The problem lies in other project, but still - good to know!

from cookie.

This thread has been automatically locked due to inactivity. Please open a new issue for related bugs or questions following the new issue template instructions.

from cookie.