Another attempt at fixing MFA issues

2025-07-24 15:49:39 +02:00 · 2025-03-05 13:10:53 -06:00 · 2025-03-05 13:10:53 -06:00 · e49bda4a2e
commit e49bda4a2e
parent 071ad52c7f
2 changed files with 21 additions and 2 deletions
--- a/app/controllers/concerns/authentication.rb
+++ b/app/controllers/concerns/authentication.rb
@ -28,12 +28,22 @@ module Authentication
    end

    def find_session_by_cookie
-      Session.find_by(id: cookies.signed[:session_token])
+      cookie_value = cookies.signed[:session_token]
+      Rails.logger.info "Looking for session with cookie value: #{cookie_value.present? ? 'present' : 'missing'}"
+      session = Session.find_by(id: cookie_value)
+      Rails.logger.info "Session found: #{session.present? ? 'yes' : 'no'}"
+      session
    end

    def create_session_for(user)
      session = user.sessions.create!
-      cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
+      Rails.logger.info "Setting session cookie with value: #{session.id}"
+      # Explicitly set SameSite attribute and ensure cookie is set properly
+      cookies.signed.permanent[:session_token] = {
+        value: session.id,
+        httponly: true,
+        same_site: :lax
+      }
      session
    end

--- a/app/controllers/mfa_controller.rb
+++ b/app/controllers/mfa_controller.rb
@ -30,6 +30,15 @@ class MfaController < ApplicationController
      session.delete(:mfa_user_id)
      @session = create_session_for(@user)
      Rails.logger.info "MFA verification successful for user #{@user.id}. Session created: #{@session.id}"
+
+      # Explicitly set the cookie again to ensure it's properly set
+      cookies.signed.permanent[:session_token] = {
+        value: @session.id,
+        httponly: true,
+        same_site: :lax
+      }
+
+      # Use turbo: false to ensure a full page reload
      redirect_to root_path, turbo: false
    else
      flash.now[:alert] = t(".invalid_code")