Troubleshooting an empty session
This episode is brought to you by Mailtrap. More on them later.
Welcome to No Compromises. A peek into the mind of two old web devs who have seen some things. This is Joel.
And this is Aaron.
So Joel.
So Aaron. I am definitely not too proud to let all of you know that once or twice a year, I have to ask Aaron for help on something and I am so grateful when he helps me out. I mean, oddly enough this actually happened twice last week. Like I said, it's normally once or twice a year.
That's the whole year then, it's done then.
That's right. I burned up my quota officially. But I don't know, I thought there might be something interesting to kind of talk through, at least one of the scenarios. I think the technical details of it might be interesting, and I think there might be some broader lessons worth talking about. Do you agree at all, Aaron?
Yeah, let's do it.
Let's do it, okay. Just to set up the problem. I was working on an integration with a Laravel app that used an OAuth2 flow. And for the geeks out there, it was specifically the authorization code grant flow. And I was getting this situation where basically when I initiated the flow, the way you do this for security, think of this as like the CSRF protection that we have on web forms. The way it's applied to this OAuth flow is like you set the state variable and you have to remember it so when they come back and they complete the flow, you can compare that state. And it protects against tampering, or replay, or whatever, it's useful to have. But what was happening to me is I would set it in the session and it was there. I would do the redirect, the flow would come back and the session was empty. I was banging my head against the wall and I tried numerous things and I couldn't figure it out. So I reached out to you for help, Aaron. And maybe you can pick up the story from your perspective as to getting this plea for help from me.
Yeah. The first thing when I hear that, I was like, "Well, is the session empty? Is it the same session? Is it a new session?" So we did troubleshooting around that to find out it was actually a different session, so that was weird. And one of the things that that makes me think about then is, maybe it's a different version of the URL. SSL versus not, or any of those different things. So that's kind of the next thing that we troubleshooted. Shooted.
It is a tough word to use in the past tense. Especially on a clean podcast, that's all I'll say.
You know, it was the same URL. Had to click up in the top to make sure that it was.
Browsers hide that now. You love that, right?
Yep. Then one of the things that we did is we were just looking at the network traffic and there was just something in there that popped up. I don't even remember exactly how it worked it but one of the network traffic things sent me down a rabbit hole from something I had done maybe years ago. So, we were doing this sending it back and forth, and one of the network requests was a pre-flight. And I was like, "Why is there a pre-flight?" And then that just kind of made me go through the whole process of, "I wonder if it's JavaScript, and what happens when you do redirects in JavaScript? And what about the cookies with JavaScript? Is it a HTTP and et cetera, et cetera." And that's kind of how we went down the route of, "Hey, there's something with cookies and sessions and stuff like that and that's what we need to troubleshoot into."
Yeah. I think there's a couple of interesting takeaways for me personally. One is just, know your tools. We were in the network tab of Chrome and we were digging specifically into the cookies that were being set. So that's part of it, nothing too advanced there. But just kind of knowing where to look, like what things mean. And I think maybe the second part is like actually knowing how the web works. Like, how does Laravel actually know what session you're a part of, right?
Mm-Hmm (affirmative).
Like, what is the cookie it sends? Why does it need that cookie to be sent back to connect the dots? Some of these are very basic fundamental web things, but having that in your head and having a deeper understanding of that is actually kind of critical to troubleshoot something like this. Because if you don't know how a session works, how do you troubleshoot why the session isn't working?
There's nothing really that unique also when we talk about Laravel.
Right.
With that, that's web basics so it doesn't necessarily matter if it's Laravel or a Node project or "dot" Microsoft.
Yeah, even vanilla PHP. Like what you were saying, sessions work a specific way and the fundamental way is cookies. I remember looking at that cookies tab with you and you were even like, "All right, Joel, now do the first request." And I was like, "We took a screenshot of the cookie. Then we did the flow. And when it came back, we saw it was a different..." We saw-
Hold on here. I seem to remember it being that we saw it... Well, Joel saw it was the same cookie and I said, "Uh."
I did.
And then Joel saw that it was a different cookie.
Yeah. So, again, this is a nuance of the tool being the Chrome developer tools. But it was showing the cookie and it was the same cookie. But what I wasn't initially noticing is it was in a different color, because it was being filtered out. Is that what you recall, Aaron?
I do remember that, yeah.
Yeah. So the browser knew this cookie should normally be sent to it but it decided not to send it. Which is what ultimately led us to the solution. Which, Aaron, do you want to tell us what your brilliant solution was that you told me to do?
Yeah. I told him to google. This had a lot to do with the different configurations for cross-site, security and especially cross-site cookies and third-party, et cetera. So we went and looked at the session settings?
Yeah. Config session in Laravel, where it's configured.
Yeah. And kind of looked at the same site setting and that was really the key there. As, for whatever reason, this project was set to Strict and there's a numerous number of different reasons why you might want that. In this particular case, because of the types of third-party we were integrating with and what we had to do, we set this to Lax. Which is still a perfectly fine and a default setting most of the time. At least right now, the time of recording.
I love how you're hedging.
That was able to solve the problem for us.
Yeah. And I don't know about you, but when I see a security setting and I'm changing it from Strict to Lax, like something doesn't feel right there. So, I kind of knew basically what that meant. Like, once you had helped me reach this solution it made sense to me. But if you put me on the stand and told me to explain in detail, "What is the different between Strict and Lax," I couldn't have done it. At least not to a level of detail I would have been happy with. So I took it as a learning opportunity too that night. You know, I like to party. I'm sitting on the couch, I got my iPad. I read the RFC on SameSite cookie configuration because this is something relatively new. Like, if my memory is correct from reading this last week, I think it's only been a thing for like the last five or six years that this property either existed or was enforced, or something like that. And then there was this whole period of transition where if you didn't specify it, it kind of defaulted to one thing and now it's defaulting to something different. There's a lot of nuance on it but now I can actually explain to you the difference between Lax and Strict.
And I agree with your assessment, it really isn't weakening security in a significant way for most applications. In fact, for applications like this you literally cannot run in Strict mode. So, we either would have to tell the client, "All right. I guess we can't integrate with this provider or go to the provider and see if they have a non-JavaScript redirect-based way of doing this." But to use the flow that that was presented to us like this was a requirement to change it from Strict to Lax. Maybe you listening to this, you knew all this already and you're like, "Come on, Joel." But the point is, I think the takeaway, at least for me personally, is number one, kind of knowing when to ask for help and having somebody you can go to for help is just a huge thing. And second, when you realize either you don't know something or you kind of know it at a surface level, I think it's exciting to dig in. And I'm not a total geek because that RFC was like eight pages. It didn't take me an hour to read it, it was literally 20 minutes on the couch. But now I actually understand something deeper, so I feel good about having to use my once-a-year token to ask Aaron for help.
Nice.
This episode is sponsored by Mailtrap, an email delivery platform that developers love. An email sending solution with industry best analytics, SMTP and email API, SDKs for major programming languages and 24/7 human support. Try for free at mailtrap.io.
So, because I live alone, I tend to maybe talk to myself. I mean, not a lot. It's not, you know just out loud I'd be like, "Oh, I'm going to go blah, blah, blah," you know, stuff like that. And then if it's a good day I might find myself, I don't know, singing. Singing random songs, singing to myself.
Are these original songs, or like-
Just, yeah.
Okay, good.
Original horrible songs. It's like, "I'm taking out the trash," you know?
That's what I was picturing. Good.
Yeah, exactly. And not so bad because I'm doing it in my house by myself. But today I was getting some coffee and I'm walking out to my car and all of a sudden I hear, "Today is the best day because it is Mama and Justin day." And I see this lady's putting her kid in the car seat.
Okay.
And I'm just like, I have two choices right now. One, get into my car right next to hers and pretend like I didn't hear. Or two, what I did do, was try to sing along.
I was going to say, there's no way you went for option one in this scenario. So I'm glad my prediction was right.
No. I didn't try to sing along, but I did put my head down. I'm like, "I heard that." She was like, "Oh." Like, "No, it's okay. I get it, I get it." Because you know, I grew up with little siblings and I know people with kids and stuff, you sing to them. But I just imagine that you just like in the parking lot just singing. Basically, she was singing at the top of her lungs. Like it wasn't quiet, it was like...
Well, you know what? In the future, somebody can extend you that same grace and not calling you out in a weird way for your singing.
Right.
Confident and competent programmers still ask for help just, like Joel.
That's right. And if you'd like some help, we can help. Go to masteringlaravel.io and find the Get Unstuck button up in our top menu.