Antoine Serval

Joined

50 Experience
0 Lessons Completed
0 Questions Solved

Activity

Posted in Session Not Persisting Across Controller Actions in Rails API

Hello everyone,

I'm facing an issue with session persistence in my Rails API application. I've set up a session in one controller action (nonce), but when I try to access it in another action (verify), it seems to be missing.

  1. Controller
class UsersController < ApplicationController
  before_action :log_response_headers

  def log_response_headers
    Rails.logger.info("Response Headers: #{response.headers}")
  end

  def nonce
    nonce = SecureRandom.hex(16)
    session[:nonce] = nonce
    render json: { nonce: nonce }
  end

  def verify
    nonce = session[:nonce]
    # ... rest of the code ...
  end
end
  1. Application Configuration
module HueBackend
  class Application < Rails::Application
    config.session_store :cookie_store, key: '_hue_session'
    config.session_options = {
      httponly: true,
      same_site: "None",
      secure: false
    }
    # ... rest of the configuration ...

    Rails.application.config.middleware.insert_before ActiveRecord::Migration::CheckPending, ActionDispatch::Cookies
    Rails.application.config.middleware.insert_before ActionDispatch::Cookies, Rails.application.config.session_store, Rails.application.config.session_options
  end
end
  1. Cors configuration
Rails.application.config.middleware.insert_before 0, Rack::Cors do
  allow do
    origins 'localhost:5173'
    resource '/api/*',
      headers: :any,
      methods: [:get, :post, :put, :patch, :delete, :options, :head],
      credentials: true
  end
end
  1. Front-End fetch call
const response = await fetch('api/nonce', {
  credentials: "include"
});

Checks Performed:

  1. Verified that credentials: "include" is set in frontend fetch calls.
  2. Checked the order of middlewares to ensure ActionDispatch::Cookies and the session store are loaded correctly.
  3. Inspected response headers for the Set-Cookie header after making a request to the nonce endpoint.
  4. Ensured the browser isn't blocking third-party cookies.
  5. Checked server logs for any warnings or errors related to the session or cookies.

Despite these checks, the session doesn't seem to persist across controller actions. Any insights or suggestions would be greatly appreciated!

I can share the github too if needed. Been having a headache on this for the past days...

Thank you!