Session conflict

hoaihuongbk · May 3, 2017, 1:24am

I have 2 AppHost run in different subdomain

First: id.example.com, SessionFeature is turn on.
Second: api.example.com, AuthFeature is turn on.

In view of first app, i have form with submit authenticate with api
form action = api.example.com/api/auth/credentials
When authenticated then i save customer info into session in custom credentials provider like this

public override IHttpResult OnAuthenticated(IServiceBase authService, IAuthSession session, IAuthTokens tokens, Dictionary<string, string> authInfo)
        {
            base.OnAuthenticated(authService, session, tokens, authInfo);
            var customUserAuthSession = (CustomUserSession)session;
            try
            {
                using (var uvc = authService.ResolveService<UserService>())
                {
                    var customer = uvc.GetCustomerByEmail(session.UserAuthName);
                    if (customer != null)
                    {
                        customUserAuthSession.UserAuthId = Convert.ToString(customer.UserId);
                        customUserAuthSession.UserName = customer.PrimaryEmail;
                        //customUserAuthSession.UserAuthName = user.CustomerName;
                        customUserAuthSession.DisplayName = customer.FullName;
                        customUserAuthSession.Email = customer.PrimaryEmail;
                        customUserAuthSession.Address = customer.Address;
                        customUserAuthSession.PhoneNumber = customer.PrimaryPhone;
                        customUserAuthSession.CustomerId = Convert.ToInt32(customer.Id);
                        customUserAuthSession.SecurityNumber = customer.SN;
                        customUserAuthSession.ProvinceId = customer.ProvinceId;
                        customUserAuthSession.CityId = customer.CityId;

                        customUserAuthSession.Roles = new List<string>()
                        {
                            "Customer"
                        };


                        authService.SaveSession(customUserAuthSession, SessionExpiry);

                    }
                }

            }
            catch (Exception ex)
            {
                Log.Error(ex.Message);
            }
            return null;
            //return base.OnAuthenticated(authService, customUserAuthSession, tokens, authInfo);
        }

Login and get session with customer info working right.

BUT SOMETIME customer info is wrong? It’s get another customer info in our system.
I think will be session id is wrong.

Any idea here, please help.

mythz · May 3, 2017, 2:26am

BUT SOMETIME customer info is wrong? It’s get another customer info in our system.

This is nowhere near enough info for anyone to be able to identify what the issue is. What does your AppHost Auth Configuration look like? What does Customer Info is wrong mean? where is it wrong? What is the raw HTTP Request / Response of a wrong request?

Have you debugged your Custom Auth Provider, are you looking up the right session.UserAuthName ?

I think will be session id is wrong.

Why do you think session id is wrong? At what point is it wrong? Have you looked at the session Id passed in each request, is it the same Session Id that was returned at Authentication, is it what you expect?

I have 2 AppHost run in different subdomain

First: id.example.com, SessionFeature is turn on.

Second: api.example.com, AuthFeature is turn on.

Cookies are not shared between different sub domains by default, how are you transferring the cookies so that they’re sent between each sub domain?

The code provided unlikely has anything to do with the issue, you need to trace back each individual request and look at the Session Cookies created, make sure that they map to the right authenticated User Session that you expect, make sure the same cookies are sent in each request, look carefully at each raw HTTP Request / Response Headers so you can identify when/why the Session Cookies change. The Session Cookies only point to a single Authenticated User, you should never be getting the info of a different User with the same Session Cookie, it’s more likely the Session Cookies of the Request have changed, find out why that is, e.g. Authenticating as a different User in a different browser tab will change the Session Cookies of each browser tab for the same domain.

hoaihuongbk · May 3, 2017, 3:02am

First AppHost (id.example.com): no configuring for auth, just turn on session feature.

Plugins.Add(new SessionFeature());

Second AppHost (api.example.com)

Plugins.Add(new AuthFeature(() => new CustomUserSession(),
                new IAuthProvider[] {
                    new CustomCredentialsAuthProvider
                    {
                        SessionExpiry = TimeSpan.FromMinutes(30)
                    },
                }
            )
            {
                IncludeAssignRoleServices = false,
                MaxLoginAttempts = 5,
                ServiceRoutes = new Dictionary<Type, string[]> {
                    { typeof(AuthenticateService), new[]{"/auth/{provider}"} }
                },
                GenerateNewSessionCookiesOnAuthentication = true,
                IncludeAuthMetadataProvider = false,
                DeleteSessionCookiesOnLogout = true
            });

Cookies i have set to root domain in web.config like this

    <httpCookies domain=".example.com" />

And CustomUserSession just add some fields, no override anything.

 [DataContract]
    public class CustomUserSession : AuthUserSession
    {
        [DataMember]
        public int CustomerId { get; set; }
        [DataMember]
        public string SecurityNumber { get; set; }
        [DataMember]
        public int ProvinceId { get; set; }
        [DataMember]
        public int CityId { get; set; }

So, i don’t confifure for AuthRepository, my CustomCredentialsAuthProvider query user from my own User table: UserName is email ONLY

 public override bool TryAuthenticate(IServiceBase authService,
            string userName, string password)
        {
            //var session = authService.GetSession();
            try
            {
                using (var uvc = HostContext.ResolveService<UserService>())
                {
                    return uvc.CheckExistingActiveUser(userName, password);
                }
            }
            catch (AuthenticationException ex)
            {
                Log.Error(ex.Message);
            }
            return false;
        }

mythz · May 3, 2017, 3:20am

ok the TryAuthenticate implementation is unusual, but what about the actual issue. What does the raw HTTP Request / Response Headers of a request with the right user and a request with the wrong user look like?

hoaihuongbk · May 3, 2017, 4:15am

The Request Headers like this

And the customer info is right is: CustomerId in session

Function get customer info:

var user = GetCustomer(UserSession.CustomerId);

SessionId in Cookie match with right user in my own system.

AND in cache sessionid math with right customer information

BUT sometime, you are right, there may be cookie had chaged -> request headers send DIFFERENT sessionId -> get wrong user info. I can’t not debug because when i tested, it’t work right. Hmm…

How about conflict when i configure 2 AppHost and each generate different sessionId???

mythz · May 3, 2017, 4:17am

The last sessionId gets used.

hoaihuongbk · May 3, 2017, 9:37am

OK thank mythz, i will debug more time.