Another attempt at fixing MFA issues

app/controllers/concerns/authentication.rb

@@ -28,12 +28,22 @@ module Authentication
     end
 
     def find_session_by_cookie
-      Session.find_by(id: cookies.signed[:session_token])
+      cookie_value = cookies.signed[:session_token]
+      Rails.logger.info "Looking for session with cookie value: #{cookie_value.present? ? 'present' : 'missing'}"
+      session = Session.find_by(id: cookie_value)
+      Rails.logger.info "Session found: #{session.present? ? 'yes' : 'no'}"
+      session
     end
 
     def create_session_for(user)
       session = user.sessions.create!
-      cookies.signed.permanent[:session_token] = { value: session.id, httponly: true }
+      Rails.logger.info "Setting session cookie with value: #{session.id}"
+      # Explicitly set SameSite attribute and ensure cookie is set properly
+      cookies.signed.permanent[:session_token] = {
+        value: session.id,
+        httponly: true,
+        same_site: :lax
+      }
       session
     end
 

app/controllers/mfa_controller.rb

@@ -30,6 +30,15 @@ class MfaController < ApplicationController
       session.delete(:mfa_user_id)
       @session = create_session_for(@user)
       Rails.logger.info "MFA verification successful for user #{@user.id}. Session created: #{@session.id}"
+
+      # Explicitly set the cookie again to ensure it's properly set
+      cookies.signed.permanent[:session_token] = {
+        value: @session.id,
+        httponly: true,
+        same_site: :lax
+      }
+
+      # Use turbo: false to ensure a full page reload
       redirect_to root_path, turbo: false
     else
       flash.now[:alert] = t(".invalid_code")