Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Set-Cookie header missing in non-200 responses forwarded responses from Authorization Hook #10534

Open
Kashish3009 opened this issue Sep 10, 2024 · 1 comment
Open

Set-Cookie header missing in non-200 responses forwarded responses from Authorization Hook #10534

Kashish3009 opened this issue Sep 10, 2024 · 1 comment
Labels
k/enhancement New feature or improve an existing feature

Comments

@Kashish3009
Copy link

Description

We are using Hasura’s authorization hook to refresh session tokens. If the action returns an error, the set-cookie header is not forwarded in the response, despite session updates in the DB. This results in a client-server session mismatch, where the client continues using an outdated authentication cookie.

Proposed Solution

The set-cookie header should be included even on non-200 responses, per RFC 6265.

Steps to Reproduce

  1. Use an action with authentication hook.
  2. Refresh session token.
  3. Action returns an error.
  4. The set-cookie header is missing from the response.

Alternative

No effective alternatives available yet.
@Kashish3009 Kashish3009 added the k/enhancement New feature or improve an existing feature label Sep 10, 2024
@ciphrd
Copy link

ciphrd commented Sep 16, 2024

Reported here too: #8407

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
k/enhancement New feature or improve an existing feature
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@ciphrd @Kashish3009