Wed 29 Apr 2020 4:28PM

Problem with authentication using RAILS_ENV=production

ELP Edward L Platt Public Seen by 75

I'm running loomio 1.x and for some reason, when I try to run it in the production environment, users are logged out immediately after logging in.

In trying to trace down the problem, I've found that current\_user is returning nil. Hoping someone can help me understand this code. I see it is defined in CurrentUserHelper and when it is working (in development) the value is coming from super. How and when does CurrentUserHelper's super get set to a logged in User?

Note, this is all on my local machine, so the issue is definitely due to different behavior based on RAILS\_ENV.


Robert Guthrie Wed 29 Apr 2020 9:08PM

Hi @Edward L Platt I would guess that you have your cookies configured incorrectly.

is ENV['CANONICAL_HOST'] correct?


Edward L Platt Thu 30 Apr 2020 2:54PM

I can't find any documentation on ENV['CANONICAL_HOST']. If my canonical dns is foo.bar.com ( http://foo.bar.com ), what should it be set to?

Also, is there a way to verify whether cookies are working? Either server side or browser side?


Robert Guthrie Thu 30 Apr 2020 8:32PM

So, just to clarify, you're running on localhost. It works in development and does not work in production?

When you login, the request works, but the cookie does not stick?

My guess is that this is a config issue with the "SessionStore". I'm not sure how to help much further than that.


Edward L Platt Thu 30 Apr 2020 8:53PM

Correct that I am running on localhost. I've tried setting CANONICAL\_HOST environment variable to localhost, but no change. Thanks for the pointer towards SessionStore.

In production mode, the only session cookies are signed_in (equal to 1) and XSRF-TOKEN. In development after successful sign-in, there are also session cookies called _loomio and remember_user_token. Because signed_in is there on both, it doesn't seem to be a problem creating session cookies, but could you point me towards where/how those other cookies get set?


Robert Guthrie Thu 30 Apr 2020 8:56PM

The only cookie that really matters is the _loomio cookie, It's your session cookie, and it's set rather specifically when you're in production mode, it might even be signed as secure, meaning you need to be using https.

The session_store.rb file and the rails docs are the best place to look.


Edward L Platt Tue 5 May 2020 3:24PM

That was it. Probably a good idea to add some kind of error message when the _loomio cookie is disabled for security reasons.


Robert Guthrie Tue 5 May 2020 6:52PM

Oh, phew. I've been worried about this/you being stuck. Good job.