Cypress ignores session cookie change

[alsha]

Current behavior

Server (AUT) changes the value of session-cookie (name=MLOGIN_SESSION) after logging in.
BUT: Cypress continues to send the old cookie value to server.

Desired behavior

Cypress should be able to notice the cookie value change and send the new value with upcoming requests

Test code to reproduce

it('Log in', () => {

    cy.visit('https://login.muenchen.de');

    cy.get('a').contains('EN').click({force: true});
    cy.get('a').contains('Log in').click();

    cy.get('#email').type('[email protected]');
    cy.get('#password').type('Cypress_mlogin123');
    cy.get('button').contains('Sign in').click();

    cy.url().should('contain', '/portal/secure/profile');

});

Config:

module.exports = defineConfig({
    e2e: {
        blockHosts: ["piwik*.swm.de", "consentmanager.mgr.consensu.org", "cdn.consentmanager.mgr.consensu.org"],
        viewportWidth: 1920,
        viewportHeight: 1080,
        defaultCommandTimeout: 10000,
    },
});

Cypress Version

12.7.0

Node version

v18.12.1

Operating System

Windows 10

Debug Logs

No response

Other

Cypress 11.* worked fine

[mike-plummer]

Hi @alsha , thanks for opening an issue and thank you for providing a reproduction case! There were a number of breaking changes around Cookie behaviors in Cypress 12 that may be impacting your test.

It appears that there is some duplication of the MLOGIN_SESSION cookie occurring on several of the request phases, so it appears the updated value is getting seen but just not set the way it used to.

Before digging in deeper I wanted to get a couple pieces of information:

• Is all manipulation of that cookie being done server-side, or is there some use of document.cookie?
• Are there any client-side redirects in the login flow (use of history), or is it all server-side 302 redirects?
• It looks like the Set-Cookie response header for MLOGIN_SESSION isn't specifying a Domain. Is it possible your server-side logic is working with a superdomain instead of login.muenchen.de? One breaking change in Cypress v12 was using hostname instead of the superdomain when setting cookies without an explicit domain

[alsha]

Hi @mike-plummer , thank you for a quick reply!

Here are my answers:

• Is all manipulation of that cookie being done server-side, or is there some use of document.cookie?

All manipulation of that cookie is being done only server-side.

• Are there any client-side redirects in the login flow (use of history), or is it all server-side 302 redirects?

It is all server-side 302 redirects.

• It looks like the Set-Cookie response header for MLOGIN_SESSION isn't specifying a Domain. Is it possible your server-side logic is working with a superdomain instead of login.muenchen.de? One breaking change in Cypress v12 was using hostname instead of the superdomain when setting cookies without an explicit domain

MLOGIN_SESSION - Cookie is only processed by login.muenchen.de.

By the way, here is one more interesting observation: if you open the dev tools, you can see the requests, performed by Cypress. The requests after login are all appear with correct new cookie value. But in reality it is not true... If you use proxy to sniff the traffic, you will see, that the cookie is old one.

[o3-steven]

Could be duplicate of #25841

[mike-plummer]

Thanks for the link, @o3-steven . It does appear to be related, but it's hard to say 100% whether it's a duplicate. @alsha I'll go ahead and pass this on to the team; they're already working on #25841, so once a fix is available for that we can have you confirm whether it resolves this issue for you