Unleash-Session Cookie Sent In Headers

[ruthChavshush]

Describe the bug

Hi:)
We are having the bug that I saw this issue opened about.
Opening Unlish and the application in the same domain returns a 401 error for the toggle request. Because the Cookie header has been sent.
I tried to use the customHeaders property to override the value in the cookie header but it doesn't seem to help and it still uses the cookie.
Is this bug known and have you fixed it?
And do you have a suggestion how to deal with it in the meantime
Thanks in advance!!

Steps to reproduce the bug

1. open the unleash ui and log in
2. open in another tab at the same domain' your web application
3. the request to unleash fails due to the unleash-session cookie header

Expected behavior

When using unleash token, i dont want the session cookie to be sent as well.

Logs, error output, etc.

No response

Screenshots

Additional context

No response

Unleash version

No response

Subscription type

None

Hosting type

Self-hosted

SDK information (language and version)

React v4

[ivarconr]

Hi there,
I see you are using an admin token. That will not work with the frontend API. You need to use a proper "frontend token".

[ruthChavshush]

Hi @ivarconr,
Thanks for your response:)
It was my mistake the screenshot I sent.
I thought sending an admin token would work with the unleash-session cookie.
Here you can see that I get a 401 even when sending the frontend token.

[ivarconr]

Hi,

I tested this on our demo instance, and I was not able to reproduce your issue using curl.

curl 'https://app.unleash-hosted.com/demo/api/frontend' \
  -H 'Accept: */*' \
  -H 'Cookie: unleash-session=s%3AgKenzI2KNJ3DKRv5Y9M5ZZGo84-TFYAM.D4mX7XRkXkN%2Bc%2FRdbgAOePp0LFdDdT3xCw3ENhXXBXk' \
  -H 'Authorization: default:development.5d6b7aaeb6a9165f28e91290d13ba0ed39f56f6d9e6952c642fed7cc'

When looking at the error "InvalidTokenError" it actually tries to parse the token, but it is not considered correct type. The most likely reason is that you are trying to use a "client" token and not a "frontend" token.

Can you please verify that the token is a "frontend token"?

[ruthChavshush]

@ivarconr
I made sure and I am using a frontend type token

Moreover, if I manually delete the unleash-session cookie, the request succeeds.

[ivarconr]

Can you please answer these:

1. Which version of Unleash is this?
2. Could you validate that it fails with a curl command as well? And show the results here.
3. Can you validate that it fails in a in icognito mode.

[ruthChavshush]

Hi @ivarconr ;)

1. v6.1.12
2. Here is the output with curl.
   
   this is the exact curl command: curl ^"https://hotam-internal.dev.digital.idf.il/unleash/api/frontend?environment=production&appName=hotam-internal&sessionId=429954792&properties^%^5Bmsal_user_name^%^5D=xd.RChavshush^%^40idf.il^" ^
   -H "accept: application/json" ^
   -H "accept-language: he-IL,he;q=0.9,en-US;q=0.8,en;q=0.7" ^
   -H "authorization: *:development.0d85183fd9da8028f3e3cee24404d8513586bb66e1a9fdc041a842d7" ^
   -H "cache-control: max-age=0" ^
   -H ^"cookie: unleash-session=s^%^3Ap6dApjFNMDhi_w3lyqx0yfFKn_kkCKxA.Wh1qmiOgwVfgomka0gZyYIVGndl2PWWB3TKXB6FyJjg^" ^
   -H "priority: u=1, i" ^
   -H "referer: https://hotam-internal.dev.digital.idf.il/burial" ^
   -H "ruth: test" ^
   -H ^"sec-ch-ua: ^^"Chromium^^";v=^^"128^^", ^^"Not;A=Brand^^";v=^^"24^^", ^^"Google Chrome^^";v=^^"128^^"^" ^
   -H "sec-ch-ua-mobile: ?0" ^
   -H ^"sec-ch-ua-platform: ^^"Windows^^"^" ^
   -H "sec-fetch-dest: empty" ^
   -H "sec-fetch-mode: cors" ^
   -H "sec-fetch-site: same-origin" ^
   -H "user-agent: Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/128.0.0.0 Safari/537.36"
3. Yes, it fails also in incognito mode (when the unleash gui is open too, so the cookies are common)

[ivarconr]

Are you able to reproduce it on demo?
https://app.unleash-hosted.com/demo/

[gastonfournier]

HI @ruthChavshush I'll try to reproduce it myself, but I see the curl command you're sending is not well formed as it's not identifying your authorization header (based on the response from the server) and there are some weird characters there that I think they result in your command output things like 'sessionId' is not recognized as an internal or external command. Could you please try to amend that and try again? I'll let you know my findings

Also, what SDK are you using in your web application? You didn't mention much about it

[gastonfournier]

Ok, I was able to reproduce, tomorrow I'll dive deeper. First call using the cookie after I signed up to Unleash in the same domain, I get invalid token. Second request modifying the cookie to something invalid, it works fine. Third attempt removing the cookie, it also works fine.

To test I used this: https://github.com/gastonfournier/sample-same-domain-cookie-issue

Below you can see the output:

~  $ curl 'http://127.0.0.1:8080/unleash/api/frontend?sessionId=589979054&appName=frontend-app-test&environment=development' -H 'Accept: application/json' -H 'Authorization: *:development.4bc3d433ea828c4d4cbd3b1dda5eeebed14fd2533fad157f833c9234' -H 'Cookie: unleash-session=s%3ATCpF4mRLaC4gT5GINPYnMKEYk3NuuonY.T%2Beis3ZiB9Od0m%2FYfE8RiI5sN5LeNnYoKvePamXXYWc' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   150  100   150    0     0  22029      0 --:--:-- --:--:-- --:--:-- 25000
{
  "id": "7ba73cac-c323-4482-a246-dcfdb03c8603",
  "name": "InvalidTokenError",
  "message": "Token was not valid",
  "details": [
    {
      "message": "Token was not valid"
    }
  ]
}
~  $ curl 'http://127.0.0.1:8080/unleash/api/frontend?sessionId=589979054&appName=frontend-app-test&environment=development' -H 'Accept: application/json' -H 'Authorization: *:development.4bc3d433ea828c4d4cbd3b1dda5eeebed14fd2533fad157f833c9234' -H 'Cookie: unleash-session=INVALID' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' | jq
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   158  100   158    0     0  61936      0 --:--:-- --:--:-- --:--:-- 79000
{
  "toggles": [
    {
      "name": "test",
      "enabled": true,
      "variant": {
        "name": "disabled",
        "enabled": false,
        "feature_enabled": true,
        "featureEnabled": true
      },
      "impressionData": false
    }
  ]
}
~  $ curl 'http://127.0.0.1:8080/unleash/api/frontend?sessionId=589979054&appName=frontend-app-test&environment=development' -H 'Accept: application/json' -H 'Authorization: *:development.4bc3d433ea828c4d4cbd3b1dda5eeebed14fd2533fad157f833c9234' -H 'Sec-Fetch-Mode: cors' -H 'Sec-Fetch-Site: same-origin' -H 'Pragma: no-cache' -H 'Cache-Control: no-cache' | jq        
  % Total    % Received % Xferd  Average Speed   Time    Time     Time  Current
                                 Dload  Upload   Total   Spent    Left  Speed
100   158  100   158    0     0  54146      0 --:--:-- --:--:-- --:--:-- 79000
{
  "toggles": [
    {
      "name": "test",
      "enabled": true,
      "variant": {
        "name": "disabled",
        "enabled": false,
        "feature_enabled": true,
        "featureEnabled": true
      },
      "impressionData": false
    }
  ]
}

[ruthChavshush]

@gastonfournier Thank you, it is resolved🔥