Avoid creating cookie prepended with dot ('.')

[olivierboudet]

Current behavior

First, i have to tell that I am testing a company internal SSO implementation (based on Keycloak). I saw this comment (#1342 (comment)) on another issue which tells to test SSO with cy.request to simulate the authentication flow. In our case, we precisely want to test the flow, involving usage of multiple cookies with different domains, all set by Keycloak, not by cy.setCookie().

Current behavior:

When user is authenticated, Keycloak sets some cookies but cypress duplicates them with domain prefixed by a dot.
In the cypress console, we can see cookies set by cypress:

[
   
    {
        "name": "KEYCLOAK_IDENTITY",
        "value": "",
        "path": "/auth/realms/myrealm/",
        "domain": ".keycloak.local",
        "secure": false,
        "httpOnly": true,
        "sameSite": "lax"
    },
]

Keycloak set this one in the server response:

 {
        "name": "KEYCLOAK_IDENTITY",
        "value": "eyJhbGciOiJIUzI1NiIsInR5cCIgOiAiSldUIiwia2lkIiA6ICIxNzA2N2ZhNS03NjQ2LTRmNjUtOTBkZi1jYWE5NjJmZThjODcifQ.eyJleHAiOjE3MzE1NzU5NDQsImlhdCI6MTY3MTA5NTk0NCwianRpIjoiYmYyNGRhMDItZmU4MS00OWQ3LTk1MzgtMjU0NDk5NDQ5ZmFi......",
        "path": "/auth/realms/myrealm/",
        "domain": "keycloak.local",
        "secure": true,
        "httpOnly": true,
        "hostOnly": true,
        "sameSite": "no_restriction"
    },

Desired behavior

Cypress should allow to disable the automatic creation of new cookies prefixed by a dot.
At least, the value should not be empty.

Test code to reproduce

Too difficult to provide here, it needs a full setup of Keycloak with multiple applications to test SSO.

This issue is already detailed in other issues :

• Set cookie domain prefixed with a dot #1896
• Login through Azure AD account. #1342
• Option for using the exact domain when setting a Cookie #16856

We have found a workaround which is to manually remove all cookies automatically set by Cypress, which is a very dirty hack:

When("user register", () => {
  cy.clickJsConsoleLogin();
  cy.registerRandomUser();
  cy.activateEmail();
  cy.clearCookie('KEYCLOAK_IDENTITY', {domain: Cypress.env('keycloakUrl').replace('https://', '.')})
});

Cypress Version

12.1.0

Node version

14.18.0

Operating System

Ubuntu 20.04

Debug Logs

No response

Other

No response

[verheyenkoen]

Similar issue with a go-based-backend. The cypress intervention (likely by using document.cookie = '...') causes a second cookie with dot-prefix to be present which is also sent back-and-forth to the server and the server cannot deal with it, causing behavior you don't get without Cypress.

[AtofStryker]

Hi @olivierboudet . Thank you for opening an issue. Would you or @verheyenkoen be able to help provide me with a repro? I have an old reproduction repository I used for #22282 but that is only using cy.origin(). Would you be able to do something similar to this repro but taylor it to cy.request()?

[AtofStryker]

I have been able to reproduce this. Is this what you are seeing?

[verheyenkoen]

@AtofStryker Yes, the cookies are duplicated with one of the domains being dot-prefixed. Not sure but could have to do with the httpOnly attribute being true for these cookies. Anyway, they are sent back to the sever with roundtrip and that is in some use cases causing problems.

This means you don't need a reproduction repo anymore?

[olivierboudet]

In my case, I observe a similar thing but the value of new cookies are empty :

I think it would not be an issue if the value was not empty.

[AtofStryker]

@verheyenkoen If the screenshot is the identical issue I don't think we need an additional reproduction, but can use the #22282 reproduction with Cypress 12.

@olivierboudet however it sounds like your issue might be slightly different. A reproduction would likely be useful here, but if not We can likely go off the salesforce reproduction I have

[Bertg]

I've seen similar issues on our solution. This is a Rack (ruby) based application.

So far we have only observed this in tests which use multiple domains. We actually have a test failure there, where a cookie does not get stored, even though present in the cookie headers. (We have had no time to file a decent bug report on this yet.)

I think both issues may be related to the changes introduced in Cypress 12. If I understand correctly quite some work was done to make cross-domain tests work better.

[olivierboudet]

I think both issues may be related to the changes introduced in Cypress 12. If I understand correctly quite some work was done to make cross-domain tests work better.

Yes, we saw the issue just after upgraded to cypress 12 (from cypress 10)

[Bertg]

May also be related to #25205

[verheyenkoen]

@AtofStryker Looks like the same issue indeed.

In our case it were new tests so can't say if this "bug" is new to Cypress 12 but our test case is also touching multiple subdomains.

[AtofStryker]

We did significant cookie work for Cypress 12, including introducing new cookie commands and behaviors. My guess is this is an unintended side effect of those changes. Hopefully we can investigate soon!