Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Browser SDK cannot handle url-encoded cookie values #664

Open
jeremyallison opened this issue Feb 14, 2024 · 0 comments · May be fixed by #686
Open

Browser SDK cannot handle url-encoded cookie values #664

jeremyallison opened this issue Feb 14, 2024 · 0 comments · May be fixed by #686
Labels
bug Something isn't working

Comments

@jeremyallison
Copy link

jeremyallison commented Feb 14, 2024
edited

Expected Behavior

  1. Backend sets a cookie value (new format, AMP_xxxxxx). Cookie is returned to browser via a Set-Cookie response header.
  2. Frontend browser SDK parses existing cookie, uses deviceId already set by the backend, and uses it ✅

Current Behavior

  1. Backend sets cookie value (new format, AMP_xxxxxx). Cookie is returned to browser via a Set-Cookie response header.
  2. Frontend browser SDK fails to parse existing cookie, as its value is URL encoded. ❌

Possible Solution

Call decodeURIcomponent on cookie value before atob when parsing Amplitude cookie

Steps to Reproduce

Broken flow:

  1. Manually set an Amplitude cookie in your browser, with an URL encoded value (as my Rails backend would) , for example AMP_1310df2f88=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJkZDU1YjIxNC0yNmY1LTQ5OTAtYjFiZi0zNTkzYTIxOTJlNDIlMjIlN0Q%3D
    (JSON value would equal {"deviceId":"dd55b214-26f5-4990-b1bf-3593a2192e42"})

  2. Initialize browser SDK and let it parse this cookie

  3. Inspect cookie set by browser SDK, decode its value : {"deviceId":"72ac8556-1535-4fb2-bce4-f844bdb1d6cc","sessionId":xxxxx,"optOut":false,"lastEventTime":1234,"lastEventId":5}
    deviceId does not match. The JS SDK has ignored the backend cookie and set its own deviceId

Fixed flow, proves what is broken:

  1. Manually set an Amplitude cookie in your browser, with a value that has not been URL encoded, for example AMP_1310df2f88=JTdCJTIyZGV2aWNlSWQlMjIlM0ElMjJkZDU1YjIxNC0yNmY1LTQ5OTAtYjFiZi0zNTkzYTIxOTJlNDIlMjIlN0Q= <-- ⚠️ notice the = is not encoded into %3D here
    (JSON value would equal {"deviceId":"dd55b214-26f5-4990-b1bf-3593a2192e42"})

  2. Initialize browser SDK and let it parse this cookie

  3. Inspect cookie set by browser SDK, decode its value : {"deviceId":"dd55b214-26f5-4990-b1bf-3593a2192e42","sessionId":xxxxx,"optOut":false,"lastEventTime":1234,"lastEventId":5}
    deviceId is now the proper value we set initially, found at step 1. The JS SDK has taken the initial cookie into account and re-used the existing deviceId

Environment

  • JS SDK Version: 2.4.1
  • Installation Method: yarn
  • Browser and Version: Chrome 121.0.6167.139
@jeremyallison jeremyallison added the bug Something isn't working label Feb 14, 2024
dajinchu added a commit to dajinchu/Amplitude-TypeScript that referenced this issue Mar 22, 2024
@dajinchu
fix: amplitude#664 Handle URL-encoded cookie values
873f690
@dajinchu dajinchu linked a pull request Mar 22, 2024 that will close this issue
Open
1 task
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

fix: #664 Handle URL-encoded cookie values dajinchu/Amplitude-TypeScript
1 participant
@jeremyallison