S
SolidJS5w ago
Cyber Grandma

Sessions broken on external hosts ?

Hi, I'm making a web-based game and I use the sessions to store the player's information (but most importantly the player ID) which I then use in various async querys to display the user's score and name for example. The session is created by the user first being prompted to choose a name, which is then sent to the server with an actions. If successful, the player object is returned and all querys are invalidated so that the page transitions from "must create name first" phase to "can now play" phase. This has been working great both in dev and production modes for now. But after deploying to the remote test host it is now impossible to get past the "Please choose a name" screen. This only occurs with hosts other than localhost, meaning that if I open the web page on the server, it works fine. But if I open from another computer on the network, the aforementioned issue occurs. Looking at the Network tab of firefox I see two _server requests (which are the two querys used on the page, so it's normal. But the problems starts when looking at the response cookies. When on local host we can see a set-cookie in the response header. But when connection from a different host, we can see two set-cookie (See images). Which I guess means one of them gets overridden and most probably by a cookie not containing the correct session data. Has anyone experienced that ? I'm not sure ifit's an issue I can solve since it looks like its a weird behavior from vinxi's session handler.
No description
No description
8 Replies
mdynnl
mdynnl5w ago
this does fit in an issue
Cyber Grandma
Cyber GrandmaOP5w ago
My assumptions were wrong. It's because of the "Secure" attribute of the cookie.
mdynnl
mdynnl5w ago
multiple set-cookie-s are valid but they both use the same key
Cyber Grandma
Cyber GrandmaOP5w ago
Yes yes. I guess I need to find a way to build for HTTP and not HTTPS
mdynnl
mdynnl5w ago
i'm not sure i follow this means the latter would override the the former as you've assumed
Cyber Grandma
Cyber GrandmaOP5w ago
Well it works now ¯\_(ツ)_/¯ For future reference: an option can be passed to disable secure mode 
const session = await useSession<PlayerSession>({
  password: Bun.env.SESSION_SECRET,
  cookie: {
    secure: false,
  },
});
const session = await useSession<PlayerSession>({
  password: Bun.env.SESSION_SECRET,
  cookie: {
    secure: false,
  },
});
I need this because my app will be run locally on closed network.
mdynnl
mdynnl5w ago
ah, you meant that by this
Atila
Atila5w ago
sorry you went through all this hunt. For what it's worth, sessions in SolidStart are handled by H3 https://h3.unjs.io/examples/handle-session our useSession is just a re-export from the h3 package. The way it goes is: h3 is used by Nitro Nitro is used by Vinxi Vinxi is used by SolidStart
Handle Session - h3
Remember your users using a session.
Want results from more Discord servers?
Add your server