Authentication issue in logging into a web-app in v10.10.0+

[ainkollu]

Current behavior

Context
I am trying to automate a few user actions using Cypress and the work-flow goes like this

1. Launch a URL in domain-1. The Sign-In page is displayed.
2. Enter the Username and password, and click the Sign-In button. The home-page is displayed.
3. Launch another URL in domain-2. (this is a sub-domain of domain-1). A profile picker page is displayed.
4. Select a profile. A PIN page is displayed.
5. On keying in the PIN (4 digit) the same page displayed instead of navigating to the Dashboard page.

Desired behavior

The Dashboard page should be displayed instead the same PIN page is displayed. This happens every time a PIN is entered.

Test code to reproduce

The sandbox env is behind a VPN and cannot be utilized via internet. The production env is available but requires actual credentials and cannot be shared.

The code is pretty straightforward.

1. The config flag of 'experimentalSessionAndOrigin' is set to True. The 'chromeWebSecurity' is set to false.
2. The cy.origin command is not used when launching the second URL. The issue is reproducible even by using the origin method.

Code Snippet

cy.visit('URL-1')
<code for logging in i.e entering the username and password, and clicking the sign-in button>
cy.visit('URL-2')
<code to select a profile and enter the PIN>

NOTE

1. The issue is not reproducible for versions 10.9.0 and below.
2. It is reproducible with versions 10.10.0 and above

Cypress Version

10.10.0

Node version

18.20.4

Operating System

macOS 14.6.1

Debug Logs

No response

Other

1. From v10.10.0 onward until v11.2.0 if the 'experimentalSessionAndOrigin' config flag is disabled or set to flag, the issue is not seen.
2. From v12, 'experimentalSessionAndOrigin' config flag is by default set to true in Cypress and so the issue is reproducible.

One of these two new features introduced in 10.10.0 is causing this issue.

1. cy.origin()'s URL argument must be an exact origin match to the origin of the AUT. Addresses #23999, #23814, #24085, #22882, and #17166.

2. More accurately send/set cookies in cy.origin() when experimentalSessionAndOrigin is enabled. Addresses #23551, #22670, and #23603.

[ainkollu]

Hi @AtofStryker , I've seen your notes in this Issue - #23551 about handling cookies which was introduced in v10.10.0. Can you please take a look at the current issue and provide any suggestions for debugging .
Thanks in advance.

[jennifer-shehane]

@ainkollu It'd be helpful to have a way to reproduce the error that you're seeing.

[ainkollu]

Thanks @jennifer-shehane let me see if I can find a way to repro the error for others to take a look....also, is there a way to securely share credentials to the contributors who can take a look at the issue?

[ainkollu]

@jennifer-shehane I am still working on getting the required approvals to share details on the repro steps but would like to know if we have a way to share credentials securely so that they are not visible to public. The reason I ask is that we cannot share our sandbox env details as they are gated behind a VPN and so Production data is the only option. Thanks!

[jennifer-shehane]

@ainkollu You could email sensitive information to [email protected]