0

I noticed that I have always had issues when it came to logging into my Rails app when using the Brave Browser in private model. When I referred to this comment, this helped me fix the issue in development I believe (or at least temporarily), but after pushing this change to production, I'm running into the same issue.

When I login, I see the following in the Rails console:

I, [2020-12-24T19:43:48.736777 #228]  INFO -- : [2d546938-c52a-465f-8269-6b0a5871cc8d] Started POST "/users/sign_in" for 71.199.129.20 at 2020-12-24 19:43:48 +0000
I, [2020-12-24T19:43:48.737556 #228]  INFO -- : [2d546938-c52a-465f-8269-6b0a5871cc8d] Processing by Users::SessionsController#create as HTML
I, [2020-12-24T19:43:48.737613 #228]  INFO -- : [2d546938-c52a-465f-8269-6b0a5871cc8d]   Parameters: {"utf8"=>"✓", "authenticity_token"=>"a94x1G4PTP/UUs571hnYPenK0+UN6vK3+a+0WGY1GlNkXDLO42Xvpq3ph9cXm+yvdyxNBz/Clz9dDjPLk1Ii3g==", "user"=>{"email"=>"myuser@domain.io", "password"=>"[FILTERED]", "remember_me"=>"0"}, "button"=>""}
W, [2020-12-24T19:43:48.746737 #228]  WARN -- : [2d546938-c52a-465f-8269-6b0a5871cc8d] Can't verify CSRF token authenticity.
D, [2020-12-24T19:43:48.748787 #228] DEBUG -- : [2d546938-c52a-465f-8269-6b0a5871cc8d]   User Load (1.2ms)  SELECT  "users".* FROM "users" WHERE "users"."email" = $1 ORDER BY "users"."id" ASC LIMIT $2  [["email", "myuser@domain.io"], ["LIMIT", 1]]
D, [2020-12-24T19:43:48.860181 #228] DEBUG -- : [2d546938-c52a-465f-8269-6b0a5871cc8d]    (1.5ms)  BEGIN
...
D, [2020-12-24T19:43:48.881760 #228] DEBUG -- : [2d546938-c52a-465f-8269-6b0a5871cc8d]    (1.9ms)  SELECT MAX("audits"."version") FROM "audits" WHERE "audits"."auditable_id" = $1 AND "audits"."auditable_type" = $2  [["auditable_id", 1], ["auditable_type", "User"]]
D, [2020-12-24T19:43:48.883564 #228] DEBUG -- : [2d546938-c52a-465f-8269-6b0a5871cc8d]   Audited::Audit Create (1.1ms)  INSERT INTO "audits" ("auditable_id", "auditable_type", "user_id", "user_type", "action", "audited_changes", "version", "remote_address", "request_uuid", "created_at") VALUES ($1, $2, $3, $4, $5, $6, $7, $8, $9, $10) RETURNING "id"  [["auditab$
e_id", 1], ["auditable_type", "User"], ["user_id", 1], ["user_type", "User"], ["action", "update"], ["audited_changes", "---\nauthy_code:\n- 8c3249\n- bbd5cb\n"], ["version", 1702], ["remote_address", "71.199.129.20"], ["request_uuid", "2d546938-c52a-465f-8269-6b0a5871cc8d"], ["created_at", "2020-12-24 19:43:48.879538"]]                                          D, [2020-12-24T19:43:48.885321 #228] DEBUG -- : [2d546938-c52a-465f-8269-6b0a5871cc8d]   Consultant Update (1.1ms)  UPDATE "users" SET "updated_at" = $1, "authy_code" = $2 WHERE "users"."id" = $3  [["updated_at", "2020-12-24 19:43:48.878303"], ["authy_code", "bbd5cb"], ["id", 1]]
D, [2020-12-24T19:43:48.887646 #228] DEBUG -- : [2d546938-c52a-465f-8269-6b0a5871cc8d]    (1.9ms)  COMMIT
I, [2020-12-24T19:43:48.888397 #228]  INFO -- : [2d546938-c52a-465f-8269-6b0a5871cc8d] Redirected to https://app.domain.io/authentication_method
I, [2020-12-24T19:43:48.888515 #228]  INFO -- : [2d546938-c52a-465f-8269-6b0a5871cc8d] Completed 302 Found in 151ms (ActiveRecord: 24.2ms)
I, [2020-12-24T19:43:48.926474 #228]  INFO -- : [3b441671-ef25-4483-8623-ae9d33820733] Started GET "/authentication_method" for 71.199.129.20 at 2020-12-24 19:43:48 +0000                                                                                                                                                                                                  I, [2020-12-24T19:43:48.927153 #228]  INFO -- : [3b441671-ef25-4483-8623-ae9d33820733] Processing by CommonController#authentication_method as HTML
I, [2020-12-24T19:43:48.935237 #228]  INFO -- : [3b441671-ef25-4483-8623-ae9d33820733] Completed 401 Unauthorized in 8ms (ActiveRecord: 4.9ms)

I know the issue is related to the CSRF token, but even disabling the Brave shield in private mode doesn't seem to do the trick.

When I look into Brave's cookies for the domain, I see the following:

enter image description here

Here's what I have in my config/initializers/session_store.rb file:

# frozen_string_literal: true

Rails.application.config.session_store :active_record_store, key: "_my_company_session_#{Rails.env}", domain: :all, tld_length: 2

How can I fix this? I'm assuming that the issue here is that there are duplicate cookies being assigned when browsing to the app, one for the .domain.io domain and the other for app.domain.io domain.

halfer
  • 19,824
  • 17
  • 99
  • 186
LewlSauce
  • 5,326
  • 8
  • 44
  • 91
  • Think you have a domain issue, it sets this cookie for one domain (.domain.io) when you are open Sign in page but then you are submitting it to a different (app.domain.io). – Alex Tatarnikov Dec 24 '20 at 20:20
  • if using subdomain, its the issue coming from it. if planning to use the same session for entire domain itself. https://stackoverflow.com/questions/10402777/share-session-cookies-between-subdomains-in-rails/43023869#43023869 – 7urkm3n Dec 24 '20 at 20:44
  • I think the only potential issue with that solution for me is that I have different CNAME records that are set up to point to the domain. So by setting a hardcoded domain, I'd have to modify this each time right? – LewlSauce Dec 25 '20 at 16:08

0 Answers0