Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Cypress reuses a stale cookie #25841

Open
valscion opened this issue Feb 16, 2023 · 39 comments
Open

Cypress reuses a stale cookie #25841

valscion opened this issue Feb 16, 2023 · 39 comments
Labels
E2E Issue related to end-to-end testing Reproducible Can be reproduced topic: cookies 🍪 Triaged Issue has been routed to backlog. This is not a commitment to have it prioritized by the team. type: bug

Comments

@valscion
Copy link

valscion commented Feb 16, 2023

Current behavior

See below

Desired behavior

No response

Test code to reproduce

See below

Cypress Version

38a65a6#comments

Node version

v16.13.0

Operating System

macOS 13.1 (22C65)

Debug Logs

No response

Other

Note

This issue was originally discussed in #25761 so this issue description can be a bit confusing.

I am opening a new issue as requested by @AtofStryker in #25761 (comment):

Also, would you be willing to open a separate issue for this outside of #25174 since I think the cause of your problem might actually be unrelated?


I took the version in 38a65a6#comments for a spin and that doesn't yet seem to resolve my original issue. However I can no longer see duplicated cookies prepended with a dot (as in #25174) so I'll have to dig deeper into figuring out what could cause the error I'm seeing in #25174 (comment)

I'd be more than happy to debug further if there's parts that would help figure out what's going wrong here. Anything that could provide you more insight onto this particular case is appreciated.

The application code under test is mostly doing this:

  1. click the "send reply button"
  2. Triggers an AJAX query with jQuery.ajax
  3. Once AJAX request is done, does document.location.reload(true)
  4. After reload, the UI should contain the flash message that uses the cookie server set during the AJAX request

With Cypress v11.2.0

cypress-11 2

cypress-11 2-reload

The exported HAR file from Google Chrome's Network inspector: test.venuu.fi-cypress-11.2.har.zip

With this PR

cypress-12 x

cypress-12 x-reload

The exported HAR file from Google Chrome's Network inspector: test.venuu.fi-cypress-12.x.har.zip

Originally posted by @valscion in #25761 (comment)


@valscion thank you for taking a look at this! I was going to update today since I was out, but you beat me to it. I am going to take a look and see what might be causing your issue here. Possibly a cookie getting overwritten? I should have an update soon!

Originally posted by @AtofStryker in #25761 (comment)


@valscion Just from looking at the screenshots, the cookies being sent look correct? Are you able to verify if cookies are being doubled up in the request with DEBUG=cypress-verbose:proxy:http enabled and seeing the cookies attached in the requests with the "cookies being sent with request" log?

Originally posted by @AtofStryker in #25761 (comment)


Here's the full STDERR output (using the build from commit c1d8360) from running with DEBUG=cypress-verbose:proxy:http: https://gist.github.com/valscion/8c05b57d24102f42ed5931e51c463439

I noticed these parts from the logs that look suspicious to me (formatted the JS objects output for easier reading):

2023-02-14T07:30:30.493Z cypress-verbose:proxy:http POST http://test.venuu.fi:3010/admin/catering_inquiries/43d7cb56-d927-4dc7-b2ae-9e456... IncomingRequest proxying request
{
  req: {
    method: "POST",
    proxiedUrl:
      "http://test.venuu.fi:3010/admin/catering_inquiries/43d7cb56-d927-4dc7-b2ae-9e456db22cac/messages",
    headers: {
      host: "test.venuu.fi:3010",
      "proxy-connection": "keep-alive",
      "content-length": "851",
      accept: "application/json, text/javascript, */*; q=0.01",
      "content-type":
        "multipart/form-data; boundary=----WebKitFormBoundary7BgtAJBYCqpeBJb2",
      cookie:
        "_venuu_session_id=7bed991bcafb0c91e358c29c469b00ae; visitor_uuid=ImE3MTQ1M2Y3LWViZjQtNGUxMS04MjM4LWY4NTBlMmIwZWJhMCI%3D--41ca8b8449c42e5a7c030ffe526dff4cef83aca6; cheekify_a=8c0324f1-fd7a-43aa-9e58-7821c687f4a9; ajs_anonymous_id=%228c0324f1-fd7a-43aa-9e58-7821c687f4a9%22; cheekify_uid=aacf2693-c006-5a05-a446-a8d4570a9bf5; _venuu_flash=Im51bGwi--a3a459402d346d78f3660d86828309d06cc095ce; _csrf_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltbzRVV1E0TkRGMmRtOVhka3BSVURkNmRrNVBXRlpTYmtSamFUbDVObEpIVWpJcmRuRnlZbGcyTTFVOUlnPT0iLCJleHAiOiIyMDIzLTA4LTE0VDA3OjMwOjI3Ljc5NloiLCJwdXIiOm51bGx9fQ%3D%3D--75083b7fa8c13d1c917741ec296865022db46112",
      origin: "http://test.venuu.fi:3010",
      "user-agent":
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36",
      "x-requested-with": "XMLHttpRequest",
      "x-cypress-is-xhr-or-fetch": "xhr",
      referer:
        "http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?auth=c4943930b82d2049769b8eefd7ffcfb27cfd9a89e7f934f5",
      "accept-encoding": "gzip, deflate",
      "accept-language": "en-GB,en-US;q=0.9,en;q=0.8",
    },
  },
}

2023-02-14T07:30:30.493Z cypress-verbose:proxy:http POST http://test.venuu.fi:3010/admin/catering_inquiries/43d7cb56-d927-4dc7-b2ae-9e456... IncomingRequest found x-cypress-is-xhr-or-fetch header. Deleting x-cypress-is-xhr-or-fetch header.

2023-02-14T07:30:30.493Z cypress-verbose:proxy:http POST http://test.venuu.fi:3010/admin/catering_inquiries/43d7cb56-d927-4dc7-b2ae-9e456... IncomingRequest waiting for prerequest

2023-02-14T07:30:30.649Z cypress-verbose:proxy:http POST http://test.venuu.fi:3010/admin/catering_inquiries/43d7cb56-d927-4dc7-b2ae-9e456... IncomingResponse received response
{
  req: {
    method: "POST",
    proxiedUrl:
      "http://test.venuu.fi:3010/admin/catering_inquiries/43d7cb56-d927-4dc7-b2ae-9e456db22cac/messages",
    headers: {
      host: "test.venuu.fi:3010",
      "proxy-connection": "keep-alive",
      "content-length": "851",
      accept: "application/json, text/javascript, */*; q=0.01",
      "content-type":
        "multipart/form-data; boundary=----WebKitFormBoundary7BgtAJBYCqpeBJb2",
      cookie:
        "_venuu_session_id=7bed991bcafb0c91e358c29c469b00ae; visitor_uuid=ImE3MTQ1M2Y3LWViZjQtNGUxMS04MjM4LWY4NTBlMmIwZWJhMCI%3D--41ca8b8449c42e5a7c030ffe526dff4cef83aca6; cheekify_a=8c0324f1-fd7a-43aa-9e58-7821c687f4a9; ajs_anonymous_id=%228c0324f1-fd7a-43aa-9e58-7821c687f4a9%22; cheekify_uid=aacf2693-c006-5a05-a446-a8d4570a9bf5; _venuu_flash=Im51bGwi--a3a459402d346d78f3660d86828309d06cc095ce; _csrf_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltbzRVV1E0TkRGMmRtOVhka3BSVURkNmRrNVBXRlpTYmtSamFUbDVObEpIVWpJcmRuRnlZbGcyTTFVOUlnPT0iLCJleHAiOiIyMDIzLTA4LTE0VDA3OjMwOjI3Ljc5NloiLCJwdXIiOm51bGx9fQ%3D%3D--75083b7fa8c13d1c917741ec296865022db46112",
      origin: "http://test.venuu.fi:3010",
      "user-agent":
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36",
      "x-requested-with": "XMLHttpRequest",
      referer:
        "http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?auth=c4943930b82d2049769b8eefd7ffcfb27cfd9a89e7f934f5",
      "accept-encoding": "gzip",
      "accept-language": "en-GB,en-US;q=0.9,en;q=0.8",
    },
  },
  incomingRes: {
    headers: {
      "x-frame-options": "SAMEORIGIN",
      "x-xss-protection": "1; mode=block",
      "x-content-type-options": "nosniff",
      "x-download-options": "noopen",
      "x-permitted-cross-domain-policies": "none",
      "referrer-policy": "strict-origin-when-cross-origin",
      "cache-control": "no-cache",
      "set-cookie": [Array],
      "x-request-id": "7bc241d9-08d0-442f-9b60-8e6f8b0bd62c",
      "x-runtime": "0.129650",
    },
    statusCode: 204,
  },
}

2023-02-14T07:30:30.650Z cypress-verbose:proxy:http POST http://test.venuu.fi:3010/admin/catering_inquiries/43d7cb56-d927-4dc7-b2ae-9e456... IncomingResponse determine injection

2023-02-14T07:30:30.650Z cypress-verbose:proxy:http POST http://test.venuu.fi:3010/admin/catering_inquiries/43d7cb56-d927-4dc7-b2ae-9e456... IncomingResponse - no injection (not html)

2023-02-14T07:30:30.650Z cypress-verbose:proxy:http POST http://test.venuu.fi:3010/admin/catering_inquiries/43d7cb56-d927-4dc7-b2ae-9e456... IncomingResponse injection levels: { isInitial: false, wantsInjection: false, wantsSecurityRemoved: false }

2023-02-14T07:30:30.663Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest proxying request
{
  req: {
    method: "GET",
    proxiedUrl:
      "http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?auth=c4943930b82d2049769b8eefd7ffcfb27cfd9a89e7f934f5",
    headers: {
      host: "test.venuu.fi:3010",
      "proxy-connection": "keep-alive",
      "cache-control": "max-age=0",
      accept:
        "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
      cookie:
        "_venuu_session_id=7bed991bcafb0c91e358c29c469b00ae; visitor_uuid=ImE3MTQ1M2Y3LWViZjQtNGUxMS04MjM4LWY4NTBlMmIwZWJhMCI%3D--41ca8b8449c42e5a7c030ffe526dff4cef83aca6; cheekify_a=8c0324f1-fd7a-43aa-9e58-7821c687f4a9; ajs_anonymous_id=%228c0324f1-fd7a-43aa-9e58-7821c687f4a9%22; cheekify_uid=aacf2693-c006-5a05-a446-a8d4570a9bf5; _csrf_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltbzRVV1E0TkRGMmRtOVhka3BSVURkNmRrNVBXRlpTYmtSamFUbDVObEpIVWpJcmRuRnlZbGcyTTFVOUlnPT0iLCJleHAiOiIyMDIzLTA4LTE0VDA3OjMwOjMwLjYwMVoiLCJwdXIiOm51bGx9fQ%3D%3D--3c22d37cc6095f39ccd750dfaf8857adb9415762; _venuu_flash=IntcImRpc2NhcmRcIjpbXSxcImZsYXNoZXNcIjp7XCJfcmVwbHlfc2VudFwiOntcIm5hbWVcIjpcIkpvaG4gRG9lXCIsXCJlbWFpbFwiOlwiam9obi5kb2VAZXhhbXBsZS5jb21cIn19fSI%3D--465b441a893b80fbe1b91ab62bbb00cbc8bfb698; __cypress.initial=true",
      "upgrade-insecure-requests": "1",
      "user-agent":
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36",
      "x-cypress-is-aut-frame": "true",
      referer:
        "http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?auth=c4943930b82d2049769b8eefd7ffcfb27cfd9a89e7f934f5",
      "accept-encoding": "gzip, deflate",
      "accept-language": "en-GB,en-US;q=0.9,en;q=0.8",
    },
  },
}


2023-02-14T07:30:30.663Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest should cookies be attached to request?: true

2023-02-14T07:30:30.664Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest existing cookies on request from cookie jar: _csrf_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltbzRVV1E0TkRGMmRtOVhka3BSVURkNmRrNVBXRlpTYmtSamFUbDVObEpIVWpJcmRuRnlZbGcyTTFVOUlnPT0iLCJleHAiOiIyMDIzLTA4LTE0VDA3OjMwOjI1LjY4MFoiLCJwdXIiOm51bGx9fQ%3D%3D--1c0cbe7da70d734384a8db72bb0a423221026f6f; Expires=Mon, 14 Aug 2023 07:30:25 GMT; Path=/; SameSite=Lax; cheekify_uid=aacf2693-c006-5a05-a446-a8d4570a9bf5; Expires=Fri, 14 Feb 2025 07:30:25 GMT; Path=/; SameSite=Lax; _venuu_flash=Im51bGwi--a3a459402d346d78f3660d86828309d06cc095ce; Path=/; SameSite=Lax

2023-02-14T07:30:30.664Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest add cookies to request from header: _venuu_session_id=7bed991bcafb0c91e358c29c469b00ae; visitor_uuid=ImE3MTQ1M2Y3LWViZjQtNGUxMS04MjM4LWY4NTBlMmIwZWJhMCI%3D--41ca8b8449c42e5a7c030ffe526dff4cef83aca6; cheekify_a=8c0324f1-fd7a-43aa-9e58-7821c687f4a9; ajs_anonymous_id=%228c0324f1-fd7a-43aa-9e58-7821c687f4a9%22; cheekify_uid=aacf2693-c006-5a05-a446-a8d4570a9bf5; _csrf_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltbzRVV1E0TkRGMmRtOVhka3BSVURkNmRrNVBXRlpTYmtSamFUbDVObEpIVWpJcmRuRnlZbGcyTTFVOUlnPT0iLCJleHAiOiIyMDIzLTA4LTE0VDA3OjMwOjMwLjYwMVoiLCJwdXIiOm51bGx9fQ%3D%3D--3c22d37cc6095f39ccd750dfaf8857adb9415762; _venuu_flash=IntcImRpc2NhcmRcIjpbXSxcImZsYXNoZXNcIjp7XCJfcmVwbHlfc2VudFwiOntcIm5hbWVcIjpcIkpvaG4gRG9lXCIsXCJlbWFpbFwiOlwiam9obi5kb2VAZXhhbXBsZS5jb21cIn19fSI%3D--465b441a893b80fbe1b91ab62bbb00cbc8bfb698; __cypress.initial=true

2023-02-14T07:30:30.664Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest cookies being sent with request: _csrf_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltbzRVV1E0TkRGMmRtOVhka3BSVURkNmRrNVBXRlpTYmtSamFUbDVObEpIVWpJcmRuRnlZbGcyTTFVOUlnPT0iLCJleHAiOiIyMDIzLTA4LTE0VDA3OjMwOjI1LjY4MFoiLCJwdXIiOm51bGx9fQ%3D%3D--1c0cbe7da70d734384a8db72bb0a423221026f6f; cheekify_uid=aacf2693-c006-5a05-a446-a8d4570a9bf5; _venuu_flash=Im51bGwi--a3a459402d346d78f3660d86828309d06cc095ce; _venuu_session_id=7bed991bcafb0c91e358c29c469b00ae; visitor_uuid=ImE3MTQ1M2Y3LWViZjQtNGUxMS04MjM4LWY4NTBlMmIwZWJhMCI%3D--41ca8b8449c42e5a7c030ffe526dff4cef83aca6; cheekify_a=8c0324f1-fd7a-43aa-9e58-7821c687f4a9; ajs_anonymous_id=%228c0324f1-fd7a-43aa-9e58-7821c687f4a9%22; __cypress.initial=true

2023-02-14T07:30:30.664Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest waiting for prerequest

2023-02-14T07:30:30.664Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest Incoming request GET-http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?auth=c4943930b82d2049769b8eefd7ffcfb27cfd9a89e7f934f5 matches known pre-request:
{
  browserPreRequest: {
    requestId: "38E779180BE834F055D1E00804BFFF0B",
    method: "GET",
    url: "http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?auth=c4943930b82d2049769b8eefd7ffcfb27cfd9a89e7f934f5",
    headers: {
      Referer:
        "http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?auth=c4943930b82d2049769b8eefd7ffcfb27cfd9a89e7f934f5",
      "Upgrade-Insecure-Requests": "1",
      "User-Agent":
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36",
    },
    resourceType: "other",
    originalResourceType: "Document",
  },
  timestamp: 1676359830660,
}


2023-02-14T07:30:30.858Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingResponse determine injection

2023-02-14T07:30:30.859Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingResponse - full injection

2023-02-14T07:30:30.859Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingResponse injection levels: { isInitial: true, wantsInjection: 'full', wantsSecurityRemoved: true }

2023-02-14T07:30:30.861Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingResponse injecting into HTML

2023-02-14T07:30:30.861Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingResponse ensuring resStream is plaintext

2023-02-14T07:30:30.861Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingResponse gunzipping response body

2023-02-14T07:30:30.862Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingResponse inferred charset from response { httpCharset: 'utf8' }

2023-02-14T07:30:30.863Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingResponse regzipping response body

And more specifically this one:

2023-02-14T07:30:30.664Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest cookies being sent with request: _csrf_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltbzRVV1E0TkRGMmRtOVhka3BSVURkNmRrNVBXRlpTYmtSamFUbDVObEpIVWpJcmRuRnlZbGcyTTFVOUlnPT0iLCJleHAiOiIyMDIzLTA4LTE0VDA3OjMwOjI1LjY4MFoiLCJwdXIiOm51bGx9fQ%3D%3D--1c0cbe7da70d734384a8db72bb0a423221026f6f; cheekify_uid=aacf2693-c006-5a05-a446-a8d4570a9bf5; _venuu_flash=Im51bGwi--a3a459402d346d78f3660d86828309d06cc095ce; _venuu_session_id=7bed991bcafb0c91e358c29c469b00ae; visitor_uuid=ImE3MTQ1M2Y3LWViZjQtNGUxMS04MjM4LWY4NTBlMmIwZWJhMCI%3D--41ca8b8449c42e5a7c030ffe526dff4cef83aca6; cheekify_a=8c0324f1-fd7a-43aa-9e58-7821c687f4a9; ajs_anonymous_id=%228c0324f1-fd7a-43aa-9e58-7821c687f4a9%22; __cypress.initial=true

It appears that it's sending

_venuu_flash=Im51bGwi--a3a459402d346d78f3660d86828309d06cc095ce;

while the earlier line used a much much longer _venuu_flash value here:

2023-02-14T07:30:30.663Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest proxying request
{
  req: {
    method: "GET",
    proxiedUrl:
      "http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?auth=c4943930b82d2049769b8eefd7ffcfb27cfd9a89e7f934f5",
    headers: {
      host: "test.venuu.fi:3010",
      "proxy-connection": "keep-alive",
      "cache-control": "max-age=0",
      accept:
        "text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7",
      cookie:
        "_venuu_session_id=7bed991bcafb0c91e358c29c469b00ae; visitor_uuid=ImE3MTQ1M2Y3LWViZjQtNGUxMS04MjM4LWY4NTBlMmIwZWJhMCI%3D--41ca8b8449c42e5a7c030ffe526dff4cef83aca6; cheekify_a=8c0324f1-fd7a-43aa-9e58-7821c687f4a9; ajs_anonymous_id=%228c0324f1-fd7a-43aa-9e58-7821c687f4a9%22; cheekify_uid=aacf2693-c006-5a05-a446-a8d4570a9bf5; _csrf_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltbzRVV1E0TkRGMmRtOVhka3BSVURkNmRrNVBXRlpTYmtSamFUbDVObEpIVWpJcmRuRnlZbGcyTTFVOUlnPT0iLCJleHAiOiIyMDIzLTA4LTE0VDA3OjMwOjMwLjYwMVoiLCJwdXIiOm51bGx9fQ%3D%3D--3c22d37cc6095f39ccd750dfaf8857adb9415762; _venuu_flash=IntcImRpc2NhcmRcIjpbXSxcImZsYXNoZXNcIjp7XCJfcmVwbHlfc2VudFwiOntcIm5hbWVcIjpcIkpvaG4gRG9lXCIsXCJlbWFpbFwiOlwiam9obi5kb2VAZXhhbXBsZS5jb21cIn19fSI%3D--465b441a893b80fbe1b91ab62bbb00cbc8bfb698; __cypress.initial=true",
      "upgrade-insecure-requests": "1",
      "user-agent":
        "Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36",
      "x-cypress-is-aut-frame": "true",
      referer:
        "http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?auth=c4943930b82d2049769b8eefd7ffcfb27cfd9a89e7f934f5",
      "accept-encoding": "gzip, deflate",
      "accept-language": "en-GB,en-US;q=0.9,en;q=0.8",
    },
  },
}

That is, the cookie value should've been:

_venuu_flash=IntcImRpc2NhcmRcIjpbXSxcImZsYXNoZXNcIjp7XCJfcmVwbHlfc2VudFwiOntcIm5hbWVcIjpcIkpvaG4gRG9lXCIsXCJlbWFpbFwiOlwiam9obi5kb2VAZXhhbXBsZS5jb21cIn19fSI%3D--465b441a893b80fbe1b91ab62bbb00cbc8bfb698;

Originally posted by @valscion in #25761 (comment)


Thank you for sending that over @valscion

I think I can see what is going on here. I looked at the gist you provided and right along this line I noticed something.

2023-02-14T07:30:30.663Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest proxying request { req: { method: 'GET', proxiedUrl: 'http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?auth=c4943930b82d2049769b8eefd7ffcfb27cfd9a89e7f934f5', headers: { host: 'test.venuu.fi:3010', 'proxy-connection': 'keep-alive', 'cache-control': 'max-age=0', accept: 'text/html,application/xhtml+xml,application/xml;q=0.9,image/avif,image/webp,image/apng,*/*;q=0.8,application/signed-exchange;v=b3;q=0.7', cookie: '_venuu_session_id=7bed991bcafb0c91e358c29c469b00ae; visitor_uuid=ImE3MTQ1M2Y3LWViZjQtNGUxMS04MjM4LWY4NTBlMmIwZWJhMCI%3D--41ca8b8449c42e5a7c030ffe526dff4cef83aca6; cheekify_a=8c0324f1-fd7a-43aa-9e58-7821c687f4a9; ajs_anonymous_id=%228c0324f1-fd7a-43aa-9e58-7821c687f4a9%22; cheekify_uid=aacf2693-c006-5a05-a446-a8d4570a9bf5; _csrf_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltbzRVV1E0TkRGMmRtOVhka3BSVURkNmRrNVBXRlpTYmtSamFUbDVObEpIVWpJcmRuRnlZbGcyTTFVOUlnPT0iLCJleHAiOiIyMDIzLTA4LTE0VDA3OjMwOjMwLjYwMVoiLCJwdXIiOm51bGx9fQ%3D%3D--3c22d37cc6095f39ccd750dfaf8857adb9415762; _venuu_flash=IntcImRpc2NhcmRcIjpbXSxcImZsYXNoZXNcIjp7XCJfcmVwbHlfc2VudFwiOntcIm5hbWVcIjpcIkpvaG4gRG9lXCIsXCJlbWFpbFwiOlwiam9obi5kb2VAZXhhbXBsZS5jb21cIn19fSI%3D--465b441a893b80fbe1b91ab62bbb00cbc8bfb698; __cypress.initial=true', 'upgrade-insecure-requests': '1', 'user-agent': 'Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/110.0.0.0 Safari/537.36', 'x-cypress-is-aut-frame': 'true', referer: 'http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?auth=c4943930b82d2049769b8eefd7ffcfb27cfd9a89e7f934f5', 'accept-encoding': 'gzip, deflate', 'accept-language': 'en-GB,en-US;q=0.9,en;q=0.8' } } }
2023-02-14T07:30:30.663Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest should cookies be attached to request?: true
2023-02-14T07:30:30.664Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest existing cookies on request from cookie jar: _csrf_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltbzRVV1E0TkRGMmRtOVhka3BSVURkNmRrNVBXRlpTYmtSamFUbDVObEpIVWpJcmRuRnlZbGcyTTFVOUlnPT0iLCJleHAiOiIyMDIzLTA4LTE0VDA3OjMwOjI1LjY4MFoiLCJwdXIiOm51bGx9fQ%3D%3D--1c0cbe7da70d734384a8db72bb0a423221026f6f; Expires=Mon, 14 Aug 2023 07:30:25 GMT; Path=/; SameSite=Lax; cheekify_uid=aacf2693-c006-5a05-a446-a8d4570a9bf5; Expires=Fri, 14 Feb 2025 07:30:25 GMT; Path=/; SameSite=Lax; _venuu_flash=Im51bGwi--a3a459402d346d78f3660d86828309d06cc095ce; Path=/; SameSite=Lax
2023-02-14T07:30:30.664Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest add cookies to request from header: _venuu_session_id=7bed991bcafb0c91e358c29c469b00ae; visitor_uuid=ImE3MTQ1M2Y3LWViZjQtNGUxMS04MjM4LWY4NTBlMmIwZWJhMCI%3D--41ca8b8449c42e5a7c030ffe526dff4cef83aca6; cheekify_a=8c0324f1-fd7a-43aa-9e58-7821c687f4a9; ajs_anonymous_id=%228c0324f1-fd7a-43aa-9e58-7821c687f4a9%22; cheekify_uid=aacf2693-c006-5a05-a446-a8d4570a9bf5; _csrf_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltbzRVV1E0TkRGMmRtOVhka3BSVURkNmRrNVBXRlpTYmtSamFUbDVObEpIVWpJcmRuRnlZbGcyTTFVOUlnPT0iLCJleHAiOiIyMDIzLTA4LTE0VDA3OjMwOjMwLjYwMVoiLCJwdXIiOm51bGx9fQ%3D%3D--3c22d37cc6095f39ccd750dfaf8857adb9415762; _venuu_flash=IntcImRpc2NhcmRcIjpbXSxcImZsYXNoZXNcIjp7XCJfcmVwbHlfc2VudFwiOntcIm5hbWVcIjpcIkpvaG4gRG9lXCIsXCJlbWFpbFwiOlwiam9obi5kb2VAZXhhbXBsZS5jb21cIn19fSI%3D--465b441a893b80fbe1b91ab62bbb00cbc8bfb698; __cypress.initial=true
2023-02-14T07:30:30.664Z cypress-verbose:proxy:http GET http://test.venuu.fi:3010/admin/kyselyt/c-43d7cb56-d927-4dc7-b2ae-9e456db22cac?a... IncomingRequest cookies being sent with request: _csrf_token=eyJfcmFpbHMiOnsibWVzc2FnZSI6IkltbzRVV1E0TkRGMmRtOVhka3BSVURkNmRrNVBXRlpTYmtSamFUbDVObEpIVWpJcmRuRnlZbGcyTTFVOUlnPT0iLCJleHAiOiIyMDIzLTA4LTE0VDA3OjMwOjI1LjY4MFoiLCJwdXIiOm51bGx9fQ%3D%3D--1c0cbe7da70d734384a8db72bb0a423221026f6f; cheekify_uid=aacf2693-c006-5a05-a446-a8d4570a9bf5; _venuu_flash=Im51bGwi--a3a459402d346d78f3660d86828309d06cc095ce; _venuu_session_id=7bed991bcafb0c91e358c29c469b00ae; visitor_uuid=ImE3MTQ1M2Y3LWViZjQtNGUxMS04MjM4LWY4NTBlMmIwZWJhMCI%3D--41ca8b8449c42e5a7c030ffe526dff4cef83aca6; cheekify_a=8c0324f1-fd7a-43aa-9e58-7821c687f4a9; ajs_anonymous_id=%228c0324f1-fd7a-43aa-9e58-7821c687f4a9%22; __cypress.initial=true

From what I can see, this request and a few others, are making Document requests to the main server, which is telling the server side cookie jar that cookies should be simulated since we might need to simulate the navigation. The problem is the initial cookie that is set is stored in the cookie jar, but isn't updated because it doesn't fit the simulation criteria. Then, when this request is sent through, the cookie jar overwrites the cookies sent in the request with stale cookie values, which is what we are seeing in these logs.

Unfortunately, I think this issue might be out of scope for this PR, but I am trying to think of ways we might be able to solve it.

  • We need a way for the server side cookie jar to be in sync with what is in the browser. Right now, we sync values set in the jar down to the browser and CDP, but we don't sync them back up. So if something doesn't fit the criteria for the simulated jar, the jar becomes stale. We can fix this by syncing back up if a value were to change (most accurate), or by capturing cookies in the server jar on every request. I don't think we can rely on sec-fetch-mode or other types of metadata unfortunately.

To help confirm this is the case, are you able to try this binary? The windows binaries did not build for this job, but this commit might be a good start to rule out if this is the issue since we don't have a reprod for this particular thing. If you need a windows binary, let me know!

Also, would you be willing to open a separate issue for this outside of #25174 since I think the cause of your problem might actually be unrelated?

Originally posted by @AtofStryker in #25761 (comment)

@valscion
Copy link
Author

valscion commented Feb 16, 2023

Here's the rerun logs using d44b202#comments binary as you asked @AtofStryker:

https://gist.github.com/valscion/842d6f893d43e5698d57d64d44f2c74d

The error still remains.

Let me know if I can help with this case in any way.

@AtofStryker AtofStryker added stage: investigating Someone from Cypress is looking into this topic: cookies 🍪 labels Feb 16, 2023
@AtofStryker
Copy link
Contributor

@valscion thank you for moving this over into it's own issue. I'm surprised the binary didn't really have an impact as I would think it would take the newer cookie over the stale value in the jar before sending the request out.

You have already provided a lot with a reproduction for the prepended dot issue, but would you also be able to get a small reproduction up and running for this issue? I might be able to debug the issue a bit faster and see if the solution I think might work will help us out here.

@valscion
Copy link
Author

would you also be able to get a small reproduction up and running for this issue?

Eesh, I can try — I was quite surprised to see that the reproduction I made with the prepended dot issue didn't show this issue as I tried to make it so 😅

I'll try to create a reproduction as I know fixing this issue without one will be next to impossible.

@AtofStryker
Copy link
Contributor

I'll try to create a reproduction as I know fixing this issue without one will be next to impossible.

@valscion I think it will be tough, but I think I have an idea what is going on here, especially from the logs. What I can try to do is try to get a fix together for what I think might fix the issue and build a binary for it.

The problem is the fix might be fairly involved, likely more so than the prepended dot work. I have some other things I need to get through but I am hoping I can start trying something by Friday?

@valscion
Copy link
Author

@AtofStryker I managed to create a reproduction after a few hours of headbanging! 🎉

Here: https://github.com/valscion/cypress-stale-cookie-issue-reproduction

Let me know if there's anything more to this that you'd need ☺️. I've verified that this same issue appears also when doing XHR requests with jQuery, but I figured the reproduction is simpler if I just use the global fetch() instead.

@AtofStryker
Copy link
Contributor

@valscion awesome this should work! I need to figure out a way to run it since I have some permissions issues updating gem on my mac that are out of my control, and my linux machine is currently bricked 🙁 . I should be able to repartition my ubuntu install and get this up and running.

@valscion
Copy link
Author

valscion commented Feb 21, 2023

Oh damn. I can take a quick look if I can get this reproduction to run the Rails server inside Docker and update if I can't make it happen.

I think you should be OK with not upgrading your system gem in any way if you install the rbenv and configure that properly. That way gem comes from rbenv, not from your system Ruby.

@valscion
Copy link
Author

Ok there's now a way to boot the Rails test server with Docker:

docker-compose --project-name=cypress-stale-cookie-repro up --build

Let me know if that works for you ☺️

@AtofStryker
Copy link
Contributor

@valscion docker-compose worked great! I was able to reproduce the issue and verify the actual behavior in the browser. Hoping to be able to investigate soon.

@valscion
Copy link
Author

valscion commented Mar 1, 2023

I updated the reproduction repository to v12.7.0 and posted the logs, screenshots and videos of failed test runs in this issue:

@AtofStryker
Copy link
Contributor

@valscion awesome. I am hoping to take a deeper dive soon to figure out what the problem is.

@o3-steven
Copy link

I have the same issue as well and can verify my logs match what is shown. I also turned on cookie debug and noticed there was a difference in the sameSite attribute for these cookies when they were being set by Cypress. The old cookie has sameSite:"lax" and the new cookie has sameSite:"unspecified". In the browser I'm not sure if that helps or hurts but that is the only obvious difference between the two that I can see on the front end. In the dev tools for the Chrome browser there isn't a value shown for sameSite

@valscion
Copy link
Author

valscion commented Mar 8, 2023

The old cookie has sameSite:"lax" and the new cookie has sameSite:"unspecified".

That appears slightly different to what's happening in here. Maybe it's worth it to open a new issue about your issue @o3-steven and provide all the necessary issue details to triage that case?

@nagash77 nagash77 added E2E Issue related to end-to-end testing Triaged Issue has been routed to backlog. This is not a commitment to have it prioritized by the team. and removed routed-to-e2e labels Apr 19, 2023
@jlherren
Copy link

jlherren commented May 3, 2023

I have the same issue, with pretty much the same setup: I do a login via an AJAX request, which sets new cookies. Afterwards the page is reloaded, but this page reload sends the old cookies, instead of the new ones.

This first starts happening with Cypress 10.10.0 and persists up to Cypress 12.11.0, whereas Cypress 10.9.0 worked fine. The changelog for 10.10.0 mentions the following, so it might be related to one of the mentioned issues:

More accurately send/set cookies in cy.origin() when experimentalSessionAndOrigin is enabled. Addresses #23551, #22670, and #23603.

@rdadoune
Copy link

Has anyone found a workaround for this issue? My team is actively trying to upgrade to v12 but is blocked by this issue.

@valscion
Copy link
Author

We're still blocked by this at least. I would help with this if I could but it seems the amount of context one needs to have to solve this is quite high.

I'd also be happy to hear about workarounds.

@DobQA
Copy link

DobQA commented May 21, 2023

Im not sure if this is related but using latest Cypress and has caused some headache for our automation scripts with cookies, a developer had to help us resolve

"Basically the problem why this needs added is Cypress is adding a cookie value to the Request Headers of Platform requests, which is falling over and causing a stack trace issue" :-(

@AtofStryker
Copy link
Contributor

@DobQA do you know what version you were on and what you upgraded to?

@DobQA
Copy link

DobQA commented May 23, 2023

@DobQA do you know what version you were on and what you upgraded to?

Latest version / Angular 14 webpage.

I had todo a work around like below:

cy.intercept('POST', '*', (req) => {
delete req.headers['Cookie'];
delete req.headers['cookie'];
});

@AtofStryker
Copy link
Contributor

@DobQA do you know what version you were on and what you upgraded to?

Latest version / Angular 14 webpage.

I had todo a work around like below:

cy.intercept('POST', '*', (req) => { delete req.headers['Cookie']; delete req.headers['cookie']; });

OK just for historical context that should be 12.12.0 in case we are looking at this in the future.

@RickDT
Copy link

RickDT commented May 31, 2023

If it helps, we're seeing this in our codebase and have it isolated. I'd be happy to jump on a video call, but creating a repro from our app/stack would be challenging.

Our logic goes:

  1. When the user logs in (via a GraphQL API), the API response sets an auth cookie.
  2. After the API response, frontend navigates to a URL that routes conditionally based on the auth token cookie being present (which is absent in Cypress 12, but works fine in 11)
  3. Routing is wrong due to lack of cookie and tests break, making it rough to upgrade to Cypress 12

In my Cypress test, this is what I see (which is surprising and hopefully helpful). cy.getCookies() vs document.cookie are showing different things. The correct cookies are on window.parent.document.cookie,

// login via API

cy.getCookies().then((cookies) => {
  console.log(cookies) // <-- Cookie is present via cy.getCookies()
})
cy.document().then((document) => {
  console.log(document.cookie) // <-- Cookie is NOT present on document, which breaks our app
  console.log(window.parent.document.cookie) // <-- Cookie is present on Cypress host window
})

@valscion
Copy link
Author

valscion commented Jun 1, 2023

In my Cypress test, this is what I see (which is surprising and hopefully helpful). cy.getCookies() vs document.cookie are showing different things. The correct cookies are on window.parent.document.cookie,

This also looks like a different issue than the one this issue is about. Could you create a new issue and fill in all the issue template questions there?

@valscion
Copy link
Author

valscion commented Jun 1, 2023

I have updated the reproduction repository to Cypress v12.13.0 and here's the logs: valscion/cypress-stale-cookie-issue-reproduction#3 (comment)

@RickDT
Copy link

RickDT commented Jun 1, 2023

My apologies, I realized this morning that I was using the new cy.origin stuff wrong. For anyone else that lands here:

Our webapp is an oauth provider, so we have tests that start (via cy.visit) on a test site, then they click a button to navigate to our app. Since the initial cy.visit() was not to our app site, Cy 12 wasn't putting server-set cookies in our app's cookie jar.

The fix was:

cy.visit('appurl') // make an initial visit to your app to set it as the "top"

cy.origin('partner site url', () => {
  cy.visit('partner site url')
  cy.get('oauth signup button').click()
})

cy.url().should('contain', 'appurl')
// back on app site, do other stuff with your cookies in tact

@AtofStryker
Copy link
Contributor

I did want to check in and say we haven't forgotten about this issue. The team is currently occupied on other issues, but I am hoping we can get to a fix in the near future!

@o3-steven
Copy link

Hey @AtofStryker we just ran into another issue with #27216. We are going to downgrade fastglob so that we can work around this and still use grep but issues like these and not being able to upgrade cypress are going to slowly put us in a bad spot.

@valscion
Copy link
Author

valscion commented Aug 3, 2023

Reproduction repository has been updated to Cypress v12.17.3 and the failure logs are here: valscion/cypress-stale-cookie-issue-reproduction#3 (comment)

@Mert75
Copy link

Mert75 commented Sep 11, 2023

@AtofStryker any updates on the issue?

@AtofStryker
Copy link
Contributor

@Mert75 no updates yet, but as soon as we are able to work the issue I will post an update, unless anyone wants to work this as an open source contribution.

@ksazhnev
Copy link

ksazhnev commented Oct 25, 2023

Hi, @AtofStryker, are there any updates on this issue, we faced the same problem.
@valscion if you guys found any workaround, that would be helpful!

cypress_sending_old_cookie

@valscion
Copy link
Author

Nope, no workaround :(. We're still stuck with a very old Cypress version because of this

@ksazhnev
Copy link

ksazhnev commented Nov 13, 2023

In our case, after the button is clicked, there are two consecutive requests. The first request will respond with a new cookie value, set-cookie, and then the new cookie value will be used in the second request. When seeing the networking tab in dev tools, the browser displays the correct cookies to be sent; however, with debug in Cypress, it does send the old cookies from the cookie jar.
I found a temporary workaround in our case, which is deleting cookies after sending the first request and before getting the response with a new cookie value. In this case, Cypress is using cookies from the request header since the jar is empty.
I still wonder what the method that updates or syncs the cookie jar value in the Cypress code since the browser cookie jar is correct.

Here the temporary workaround I am currently using:
cy.intercept('POST', 'endpoint').as('firstRequest'); cy.get('body').find('button[type="button"]').contains('login').click(); cy.wait('@firstRequest').then((interception) => { // Delete all cookies after sending the request cy.clearCookies(); });
@valscion

@valscion
Copy link
Author

Thanks @ksazhnev! I tested your workaround in here:

However, it seems like that workaround would clear the cookies too late for the reproduction to go through unless I make the click the button again after clearing cookies.

@valscion
Copy link
Author

valscion commented Nov 13, 2023

Seems like all that is needed is clearing the cookies before doing the fetch() request:

However, if the cookies would need to be there e.g. to have a valid login session then this workaround would not work for all the possible use cases.

EDIT: Thank you a ton, @ksazhnev! I was able to get our application tesys upgraded to use Cypress 13.5.0 with this simple workaround! 🎉

@ksazhnev
Copy link

Sure glad it helped you @valscion, and thanks for opening this issue!

I think even with the login it could work depending when the cy.clearCookies() is implemented, in our case there are previous cookies that have to be passed to the request with a button click, so that is why in my case I had to delete them after the cookie was passed to the first request and then delete it before I get the respond with a new cookie.

This issue is still not resolved, I hope this will be resolved with the new version without the need for a workaround!

@jennifer-shehane jennifer-shehane removed the stage: investigating Someone from Cypress is looking into this label Nov 29, 2023
@AtofStryker
Copy link
Contributor

@valscion @ksazhnev sorry for the lack of communication on my end over the past few months as I have been out of office. I'm glad you both have a workaround in place that seems to be working, but as @ksazhnev this doesn't resolve the issue and it should remain open.

@blaubleu
Copy link

Also noticing that cy.clearCookies() is not clearing cookies.
We use a federated way to login and need to clear cookies on 2 domains.
Cypress V13.6.6 - we use Cypress cloud

cookies-not-clearing

@valscion
Copy link
Author

Also noticing that cy.clearCookies() is not clearing cookies.
We use a federated way to login and need to clear cookies on 2 domains.
Cypress V13.6.6 - we use Cypress cloud

Please create a new issue for this case as it's not clearly linked to this stale cookie usage. This sounds like a cy.clearCookies() problem.

@AtofStryker
Copy link
Contributor

tried the binary with Cypress 14 prerelease mentioned here and unfortunately does not seem to fix the issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
E2E Issue related to end-to-end testing Reproducible Can be reproduced topic: cookies 🍪 Triaged Issue has been routed to backlog. This is not a commitment to have it prioritized by the team. type: bug
Projects
None yet
Development

No branches or pull requests