How to logout on multiple domains?

karh · March 9, 2024, 1:24pm

@tbvgl Helped me identify that the root fix should be in Wappler’s middelware so I’m summoning @patrick @George

Core problem:

I login on maindomain.com, siteSecurity2.auth cookie is set on .maindomain.com and I’m logged in in this session, I see cookie: siteSecurityId: 1 in the redis session.
I navigate to sub.maindomain.com - it automatically logs me in (thanks to the .auth cookie)
I logout on sub.maindomain.com - it removes the .auth cookie and my session is not logged in in redis (no siteSecurityId)
I go to maindomain.com and i’m still logged in in the session, BUT the .auth cookie is gone
I go to sub.maindomain.com and I’m NOT logged in. Because the .auth cookie is missing and I was logged out of the session in step 3.

Desired: when logging out on a subdomain, it logs me out of the session on the main domain and any other subdomains

Extra info:

Using nodejs and redis
The cookie options at the security provider are set to .maindomain.com
CleanShot 2024-03-09 at 14.19.59@2x878×650 36.2 KB

Hyperbytes · March 9, 2024, 10:03pm

i may be wrong here but i recalled there is also a session variable set which holds the user id during that server session.
I think Wappler checks for a security session value before checking for the cookie so if the session is not destroyed the login may reman valid

So if your security provider is called “siteSecurity2”, on login there is also a server session variable started called “$_SESSION.siteSecurity2Id”

you may want to check that this session variable is destroyed when logging out from a subdomain as this may be the cause

Apple · March 9, 2024, 8:42pm

Yes, there should be a Security Logout step. Only erasing the cookie is not acceptable (I don’t know anything about handling cookies in Wappler though)

patrick · March 11, 2024, 9:57am

I assume you want to share the sessions also between the domains, just like the security provider.

Create in the folder lib/config a file user_config.json. This can be used to override config options, Wappler will not touch this file.

In this file you can configure how the session cookies are set, default it will be for the current domain. You could probably use the same settings as for the security cookie, depending on how and where you use the sessions.

The config will look like:

{
  "session": {
    "cookie": {
      "domain": ".maindomain.com"
    }
  }
}

For all config options for session check:

expressjs/session: Simple session middleware for Express (github.com)

karh · March 11, 2024, 11:02am

@patrick Thanks, that will solve part of the issue I think.

But the ‘security logout’ server action - would that also log the user out on all domains server side?

patrick · March 11, 2024, 11:42am

The logout clears the auth cookie and the session, if the session is also shared between the domains it will logout on all domains.

tbvgl · April 17, 2024, 10:11am

@patrick creating a file user_config.json in lib/config does not get picked up by the auth login script. It still sets the domain as undefined or defined as whatever was added via Wappler security provider UI.

Adjusting the constructor for the AuthProvider in provider.js by using an ENV variable directly works

constructor(app, opts, name) {
        this.app = app;
        this.name = name;
        this.identity = this.app.getSession(this.name + 'Id') || false;
        this.secret = opts.secret || config.secret;
        this.basicAuth = opts.basicAuth;
        this.basicRealm = opts.basicRealm;
        this.passwordVerify = opts.passwordVerify || false;

        this.cookieOpts = {
            domain: process.env.COOKIE_DOMAIN,
            httpOnly: true,
            maxAge: (opts.expires || 30) * 24 * 60 * 60 * 1000, // from days to ms
            path: opts.path || '/',
            secure: !!opts.secure,
            sameSite: opts.sameSite || 'Strict',
            signed: true
        };
    }

karh · April 17, 2024, 1:47pm

@patrick Any chance you can make this a permanent fix?

patrick · April 17, 2024, 2:21pm

Sorry, seems I gave the wrong folder. All the user files should go in the app folder and not in the lib. So the correct folder for the user_config.json is the app/config folder where also the config.json generated by Wappler is located.

tbvgl · April 17, 2024, 3:31pm

@patrick This still does not work:
Adding

{
    "session": {
        "cookie": {
            "domain": ".app.localhost"
        }
    }
}

to user_config.json in app/config and then logging in on http://app.localhost:3000 sets the security cookie Domain to app.localhost while it should be .app.localhost.

it sets it correctly if I define it via ENV variable instead inside provider.js

 this.cookieOpts = {
            domain: process.env.COOKIE_DOMAIN,
            httpOnly: true,
            maxAge: (opts.expires || 30) * 24 * 60 * 60 * 1000, // from days to ms
            path: opts.path || '/',
            secure: !!opts.secure,
            sameSite: opts.sameSite || 'Strict',
            signed: true
        };

karh · April 18, 2024, 7:18am

@patrick
We paid Tobias a lot of money to figure this out for us.

His solution works.

Can we have a fix so Wappler won’t prompt us to override the provider.js and we have to keep making sure we don’t overwrite the file?
Is there a similar way we can set the session cookie on the main domain? Currently it sets the .auth cookie on the entered domain. But the session cookie is set on the subdomain we’re on.