Golang Gorilla Sessions ajax, not working on Chrome? so strange

233 views
Skip to first unread message

Patrick McDowell

unread,
May 17, 2017, 1:50:59 AM5/17/17
to Gorilla web toolkit

Fellow Gophers.

I seem to be running into something unique, and only fails on Chrome.

I have a website, using Gorilla Session, and storing a struct as a session key. Works fine on all browser except Chrome.

The initial landing page, makes an Ajax $.post callback. On chrome, the $.post controller never seems to get the session values.

  • I tried switching to Https, no luck
  • I started tunneling everything through a single URL (thinking url changes were the problem, maybe cookies were tired to URL)
  • repeated check to make sure I'm not printing anything before the session
  • I even tried adding a delay before the ajax request, just incase things were firing off too fast

I have too much bad code to put up, but I was hoping someone else might have run across something like this before. It's puzzling me.

Seems like it is something with Chrome.


Matt S

unread,
May 17, 2017, 8:51:52 AM5/17/17
to goril...@googlegroups.com
Can you provide a minimal, reproducible example?

Also:
- Is this a CORS request?
- What does the Chrome console say?
- can you provide the request/response headers associated with the AJAX call?

--
You received this message because you are subscribed to the Google Groups "Gorilla web toolkit" group.
To unsubscribe from this group and stop receiving emails from it, send an email to gorilla-web...@googlegroups.com.
For more options, visit https://groups.google.com/d/optout.

Patrick McDowell

unread,
May 17, 2017, 11:14:53 AM5/17/17
to Gorilla web toolkit
I don't think it would be a CORS issue, since everything is running from the same server,
even the URL stays the same, I have a front controller that handles everything.

No errors pop out on the console, looking at the requests and results I don't see any errors,
but strangely some values seem to get stored and others get dropped.

The diving into the initial request I see set-cookie like this:

Set-Cookie:
session-name=MTQ5NTAzMjc4NnxEdi1CQkFFQ180SUFBUkFCRUFBQV9nRWZfNElBQVFaemRISnBibWNNQ1FBSGMyVnpjMmx2YmhGdFlXbHVMbXh2WVdSU1pYTndiMjV6WmYtREF3RUJER3h2WVdSU1pYTndiMjV6WlFIX2hBQUJFQUVNUVdOalpYTnpYM1J2YTJWdUFRd0FBUWhKWkY5MGIydGxiZ0VNQUFFRVEyOWtaUUVNQUFFRlRtOXVZMlVCREFBQkJWTjBZWFJsQVF3QUFRcElZWE5UWlhOemFXOXVBUXdBQVF4VFpYTnphVzl1Vkc5clpXNEJEQUFCRUVOdlpHVkRiR2xsYm5SVFpXTnlaWFFCREFBQkIwTnZaR1ZWY213QkRBQUJDRU52WkdWVFl...... (pretty long)

Then on the Ajax request, I see a shorter value being sent up to the server. 

Cookie:
session-name=MTQ5NTAzMjc4NHxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fLqVZ1t7yaMEu-IjahhcpBWiYf1Xz7_E8ww9Fj6f2dPg;

Weird, it is much shorter.. I know there is a size limit, I am under 4096 limit.

I feel like i must be doing something wrong, but its too strange that it works on other browsers.

I'll the full request, below:

First request:

    1. Content-Type:
      text/html; charset=utf-8
    2. Date:
      Wed, 17 May 2017 14:53:06 GMT
    3. Set-Cookie:
      session-name=MTQ5NTAzMjc4NnxEdi1CQkFFQ180SUFBUkFCRUFBQV9nRWZfNElBQVFaemRISnBibWNNQ1FBSGMyVnpjMmx2YmhGdFlXbHVMbXh2WVdSU1pYTndiMjV6WmYtREF3RUJER3h2WVdSU1pYTndiMjV6WlFIX2hBQUJFQUVNUVdOalpYTnpYM1J2YTJWdUFRd0FBUWhKWkY5MGIydGxiZ0VNQUFFRVEyOWtaUUVNQUFFRlRtOXVZMlVCREFBQkJWTjBZWFJsQVF3QUFRcElZWE5UWlhOemFXOXVBUXdBQVF4VFpYTnphVzl1Vkc5clpXNEJEQUFCRUVOdlpHVkRiR2xsYm5SVFpXTnlaWFFCREFBQkIwTnZaR1ZWY213QkRBQUJDRU52WkdWVFlYWmxBUXdBQVE5RGIyUmxVbVZrYVhKbFkzUlZjbXdCREFBQkIxTmxjM05wYjI0QkRBQUJCa2x6VUc5emRBRU1BQUVGUlhKeWIzSUJEQUFCRUVWeWNtOXlSR1Z6WTNKcGNIUnBiMjRCREFBQkJVTnZkVzUwQVFRQUFBRC1CNHpfaFA0SGh3SC1BMXBsZVVwb1lrZGphVTlwU2xOVmVra3hUbWxKYzBsdGRIQmFRMGsyU1d4d2NsWlhjR3BUYWtaVlpHdFNOV0ZFWnpOamJtUkVZMFphVDAxNlJqTk5WWFJ0Vlcxdk1WTlhSbE5PZWtKRlRtNXNXRTFFVmtwVFIwMXBabEV1WlhsS01scFlTV2xQYWtWelNXMXdNR0ZUU1RaSmEwWlZUR3RPV21KdFZrMWFSemsxVTBWNE1FNXRaSEpQUkd4T1ZIcE9XbU5YTkRGamVtaExZbFpTTmsxSVJreE9iRGxRVTBod1UxRXhjRmxQVkZGcFRFTktjR016VFdsUGFVcHZaRWhTZDJONmIzWk1Namx5WkVkR2NXUXpVWFZpTW5Rd1dWTTFhbUl5TUhaaU1rWXhaRWRuZVV3eVJqRmpla2w0VDBoYWVHSnFiRzlrZWtwdVQwZE9jRTFZVVROSmFYZHBXVmhXYTBscWIybGhTRkl3WTBoTk5reDVPWFpoTTFKb1lXNWtNRXh0YkhaSmFYZHBZVmRHTUVscWIzaE9SR3N4VFVSTmVVNTZaekpNUTBwc1pVaEJhVTlxUlRCUFZGVjNUWHBaZWs5RVdYTkpiVTV3V2tOSk5rbHFUalJTUkZaRVlsWkNXVTlVVG0xWmJIQjNWVWhvZFZWNlZtaEphWGRwWkZkc2EwbHFiMmxOUkVJeFRXcEdkVTFFVmpWTk1GWkxWMFZvZVUxVVozaGtSR05wVEVOS2Vsa3pRV2xQYkhOcFlqTkNiR0p0Ykd0SmFYZHBZMGhLZGxwdGJITmFVMHBrVEVOS2VtUlhTV2xQYVVvd1dsaE9NR1JZVG14amEwSXpZak5qZFZreU9YUkphWGRwV2pOS2RtUllRbnBKYW5CaVNXdFdNbHBZU2pWaU1qVnNTV3d4T1M1SVJsZEpla3MzUVdoeVkxYzRSRkZYVFVoT2VGSllNVnBQWVZsUGExaGtNa1ZpZEhoRVRFVkhVM2xYYVhoTU5FSnRVREkyYWs5MGQyUm5OVmxoUW5WZlRrOWllRTlpZUVNME0wVmhOREYzUTFWT2VsODVUbFJmY0ZrM09WZEpWazVWVUhkMVRUWjZjRlJtY1Y5cVFUazJjRGRHVEZkSlExRmFaR1l6YldKblVuY3RlazV0V1Y5S1NqaE1ZM2xEZVhKc1pHZFZjakkzUVRSSVkwdGhNM3BKUTJKMFFtOWthMHB0VDI5NlZ6TklhSFJSUWxCa1RESmtkMjEyY0hONFZYcGhVazVXYzJOak4yb3djMjVITmpWWmVYcG5VRlkwTkVWdE5sZGZSa0pOTTNweWJtMW1VVTV3Tm5ObVlUQlpURkpxZW1oblVUTlJUVEZ0UjA1RFpIbHJXV1pZWlZaTGVVTkdOa2hCUVMxTlNVRTJYelpRY1ROaFdGRlZSRzA1WVZaak1WTlhkamw1VTBoM1ZsZHBlbTlPYmtSS2RVUk5jSEpMVG5sVmJXNUdjWGxHZVVkcU4yeDJUM1k1ZWpWVllUWXRPR1ZwVTNjQl9nUC1aWGxLYUdKSFkybFBhVXBUVlhwSk1VNXBTWE5KYlhSd1drTkpOa2xzY0hKV1YzQnFVMnBHVldSclVqVmhSR2N6WTI1a1JHTkdXazlOZWtZelRWVjBiVlZ0YnpGVFYwWlRUbnBDUlU1dWJGaE5SRlpLVTBkTmFXWlJMbVY1U25wa1YwbHBUMmxKZDAxSVZYbE5WelIzVGxocmVsSlZjRmxUU0VsNFQwUkdNRTU1U1hOSmJUVm9ZbGRWYVU5cFNsWmpNbFZuVlVoS2JHUnRiR3hrTVRsUVkyMWtla2xwZDJsa2JWWjVTV3B2ZUV4RFNuQmpNMDFwVDJsS2IyUklVbmRqZW05MlRESTVjbVJIUm5Ga00xRjFZakowTUZsVE5XcGlNakIyWWpKR01XUkhaM2xNTWtZeFkzcEplRTlJV25oaWFteHZaSHBLYms5SFRuQk5XRkV6U1dsM2FWbFlWbXRKYW05cFRUTm9SVTVWVG5SVlJtYzFUVEphYVZkdVFsRmxSelZVVGxkRmFVeERTbkJaV0ZGcFQycEZNRTlVVlhkTmVra3pUMFJaYzBsdFZqUmpRMGsyVFZSUk5VNVVRWHBPYWswMFRtbDNhV0Z1VW5CSmFtOXBVMVZSZFZsVlZtcFZSbkF5Wld4YWMxRlhUbTFQUjFVeFlUQmFWMkZGWkdGa2EwWXlXVEI0YzAxV1JtaE5TRlpVWWpGa1NHRlVUblZhUlVWNVUxTkpjMGx0Um5SamFVazJWM2xLZDJReVVXbFlVM2RwWVZkU2QwbHFiMmxOUkVKMlRXcEZNMkpZVG5aalJsSllVakZCTVUxcWEzaGtSR05wVEVOS2RXSXlOV3BhVTBrMlNXMDBkRTFHVFRKWU1XUTJVVlJLVG1GcFNYTkpia0o1V2xkYWJHTnVTbXhhUmpreFl6SldlV0p0Um5SYVUwazJTVzVTYkdNelVqRmpNbFo1VVVoa2RtUjVOV3BpTWpCcFRFTkthR1JZVW05WU0xSndZbGRWYVU5cVJUQlBWRlYzVFhwSk0wOUVWWE5KYlVZd1dESm9hR015WjJsUGFVcHBZMVJvTkZKcVZqTllNRFIzWTFWbmQxZ3lWa1JhVms1NVdUTldNMGxwZDJsWk1UbHZXVmhPYjBscWIybE9NbmhSWlVaUmQyUldaR1paTWtadVVWUkJOR1JYYXpSaFJGSklaSGxLT1M1TlluRm9iVkJ6VURaUFJXWk9aMk5PZFZaM1VuQnpVRWRMWnpkSGQxQnROMWc0U2tKeVNVcEVVMUZyU2psSGMyRnpVWGxoY2xaUllYSkNSbkpTWmw4eE5tUmthbHB3ZWxsSFpEQmhjREp6YzA5S1RYZExTV0o0YTJsemRWbzBZbkk0U0dGd1NsUkpOVkJtTmpWellUSjJiMGRITFRkYVRWTkRlVkpUWjNWcGRtOXZOakJVYmpoVlExOW5hbGswTVd0bFptRklVMmwzTjBGSFNreEJkalZYY1dVelJEQXlkRzVwYnpKcVVEQkVWRnBPT0hOdVNuTkVlbnBCUkVWS1ozWkxNbWRvWkU5b2QyZDNSRmhwUlRCS05IaDFOMUJSVlZrNFMwWlhia1ZvWjBsbWJsbG1WVWM1TFVoSGJYbHVhRzV4WmpsS1ZETlBPSEJzZWs5bllWQTRhVEpqZWpjM1pIcHhWa0pVVjBGMFUxbE9URzQzZWpaVFIyY3dORnBsV21GVlVrRnRWa3RPT1VVeFUzaDBkRTFzV0VOd2NFMVlWRFJSWkdKUFZqTjRWa2xRVW1ad1gxTkJibGd4UzBwQmNFTnhOVWRsTjJjQkZFOWxhbDh3Um5ScE5IVmxXVGh0U2tsQ1lVWjVBZ2hpYkdGb1lteGhhQWdFZEhKMVpRQT18K0svAqlMUe9hOCafa9N9qygrna7s1cO-nJqP0ZDu1o4=; Path=/; Domain=localhost; Expires=Wed, 17 May 2017 17:53:06 GMT; Max-Age=10800; HttpOnly
    4. Transfer-Encoding:
      chunked
  1. Request Headersview source
    1. Accept:
      text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    2. Accept-Encoding:
      gzip, deflate, br
    3. Accept-Language:
      en-US,en;q=0.8
    4. Cache-Control:
      max-age=0
    5. Connection:
      keep-alive
    6. Content-Length:
      2002
    7. Content-Type:
      application/x-www-form-urlencoded
    8. Cookie:
      _gat=1; _ga=GA1.1.1458484012.1494998158; _gid=GA1.1.1951137049.1495032782; session-name=MTQ5NTAzMjc4NHxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fLqVZ1t7yaMEu-IjahhcpBWiYf1Xz7_E8ww9Fj6f2dPg
    9. Host:
      localhost:4000
    10. Origin:
      null
    11. Upgrade-Insecure-Requests:
      1
    12. User-Agent:
      Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36

Second request

  1. Accept:
    */*
  2. Accept-Encoding:
    gzip, deflate, br
  3. Accept-Language:
    en-US,en;q=0.8
  4. Connection:
    keep-alive
  5. Content-Length:
    102
  6. Content-Type:
    application/x-www-form-urlencoded; charset=UTF-8
  7. Cookie:
    session-name=MTQ5NTAzMjc4NHxEdi1CQkFFQ180SUFBUkFCRUFBQUJQLUNBQUE9fLqVZ1t7yaMEu-IjahhcpBWiYf1Xz7_E8ww9Fj6f2dPg; _ga=GA1.1.1458484012.1494998158; _gid=GA1.1.1813935864.1495032786
  8. Host:
    localhost:4000
  9. Origin:
  10. Referer:
  11. User-Agent:
    Mozilla/5.0 (Macintosh; Intel Mac OS X 10_12_4) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/58.0.3029.110 Safari/537.36
  12. X-Requested-With:
    XMLHttpRequest

Matt S

unread,
May 17, 2017, 5:06:45 PM5/17/17
to goril...@googlegroups.com
That seems like a big cookie - are you positive it's under 4096 bytes *once encoded* - ?

Patrick McDowell

unread,
May 17, 2017, 7:10:18 PM5/17/17
to Gorilla web toolkit
Thanks for replying btw, I'm digging into this more.

I'm starting to think there might be some special character somewhere getting caught up in the mix.

Did some more testing, didn't have much time, but I got some values to stick, digging into the ones
that don't stick see if I can figure this out.

So weird it only effects Chrome. The more reliable browser.

-Patrick.

mhh...@gmail.com

unread,
May 18, 2017, 6:48:57 AM5/18/17
to Gorilla web toolkit
do you have a small repeatable example ?

Patrick McDowell

unread,
May 18, 2017, 11:36:18 AM5/18/17
to Gorilla web toolkit
I can confirm it seems to be size issue, I was wondering about special characters, that doesn't seem to be the problem.

I'm storing an id_token and access_token. This totals 1938 characters, including the definitions strings, etc..

initialJson.Access_token = "eyJhbGciOiJSUzI1NiIsImtpZCI6IlprVWpjSjFUdkR5aDg3cndDcFZOMzF3MUtmUmo1SWFSNzBENnlXMDVJSGMifQ.eyJ2ZXIiOjEsImp0aSI6IkFULlNETGFLcVp5d05YaTZYQjZsMFpESlgxTmV5MVRzUW96em1TdkR0OXZaZ3ciLCJpc3MiOiJodHRwczovL29rdGFqd3Qub2t0YS5jb20vb2F1dGgyL2F1czIxOHZxbjlodzJnOGNpMXQ3IiwiYXVkIjoiaHR0cHM6Ly9va3Rhand0LmlvIiwiaWF0IjoxNDk1MTIwMzA5LCJleHAiOjE0OTUxMjM5MDksImNpZCI6IjN4RDVDbVBYOTNmYlpwUHhuUzVhIiwidWlkIjoiMDB1MjFuMDV5M0VKWEhyMTgxdDciLCJzY3AiOlsib3BlbmlkIiwicHJvZmlsZSJdLCJzdWIiOiJ0ZXN0dXNlckB3b3cuY29tIiwiZ3JvdXBzIjpbIkV2ZXJ5b25lIl19.F13PVt5kAWXRG7zg7xbX5gor4fjopHxQNxb_sxVDlkwbL6RhD7BB8F4FK9F95vBgZ6SrsUlSdwg8Pkwg-alNzL8p4ZgdCpWYvGw_lpzaEDEA_8VGnzvS61Onaa00jDB0Iyi1QLMw084jp2_x7JDVxjTUFyL8bg5oxDL-8gjVX3P2hhvWaUJ-ymq72mKWjsS_-hJw0oLh40iDNppWgdIkG2G8wgy2NCTpb74fJjjRf5wGNqmT5AegUHHsIU9S-oJ-ss7CvBW6tl_ojy_vO8UuOaskVC-jbLwGSqR_zuxP5dDbwARMSXbk02tsPIYs8gJRbtHUFNzJkKQwXEziuZgUiQ"
initialJson.Id_token = "eyJhbGciOiJSUzI1NiIsImtpZCI6IlprVWpjSjFUdkR5aDg3cndDcFZOMzF3MUtmUmo1SWFSNzBENnlXMDVJSGMifQ.eyJzdWIiOiIwMHUyMW4wNXkzRUpYSHIxODF0NyIsIm5hbWUiOiJVc2UgUHJldmlld19PcmdzIiwidmVyIjoxLCJpc3MiOiJodHRwczovL29rdGFqd3Qub2t0YS5jb20vb2F1dGgyL2F1czIxOHZxbjlodzJnOGNpMXQ3IiwiYXVkIjoiM3hENUNtUFg5M2ZiWnBQeG5TNWEiLCJpYXQiOjE0OTUxMjAzMDksImV4cCI6MTQ5NTEyMzkwOSwianRpIjoiSUQudnFNOUtmT1ZmV01vd2tGY1Vwbm85QUVDN1ZXYnd3Uk9xdWNpZHFDZVBTZyIsImFtciI6WyJwd2QiXSwiaWRwIjoiMDBvMjE3bXNvcFRXR1A1MjkxdDciLCJub25jZSI6Im4tMFM2X1d6QTJNaiIsInByZWZlcnJlZF91c2VybmFtZSI6InRlc3R1c2VyQHdvdy5jb20iLCJhdXRoX3RpbWUiOjE0OTUxMTYyNTUsImF0X2hhc2giOiJNeHpRZFo3MmpTYVRrc2VIeFF5S0VBIiwiY19oYXNoIjoiMnN3dWFCdlF5U19INjlTN3JNZjhHZyJ9.RyuIP_O0WtP2pcRTAtmBmppFd46zuYVM_9pbD4-L3VpiVyIixQdAlFXN2Nny7KrHXYMXTjAAzyAeiMmnan26CVLWjd4T-KQTOmrANwCf6u0fW-m-46jE6vou8Jw4a6B9shHyAsRWdQQoZ9gP2comme1n7-gAzznJpAUjZLW_nxwpvKkv586Qz37A2irQd5Wq_Jj4-lkSSm5HU9PaD1-ewd8pFYNKLX1YkcPgkKNkZi1GTSXEf1nB1nn4YHTBWBrIXrGpHLXIK2-GVB4kv9773HpVMzM9MhT7yaN1QRPPmFSoCKr7XjQld3-kbCBnO15N5yElPgpQIPHSLFERCZpK4g"

I have a few other items I'm storing, so I must be pushing the limit.

What I'm trying to figure out is how much overhead does the GOB consume ?

This is what my struct looks like:

type loadResponse struct {
       Access_token     string `json:"access_token"`
       Id_token         string `json:"id_token"`
       Code             string `json:"code"`
       Nonce            string `json:"nonce"`
       State            string `json:"state"`
       HasSession       string `json:"hasSession"`
       SessionToken     string `json:"sessionToken"`
       CodeClientSecret string `json:"codeClientSecret"`
       CodeUrl          string `json:"codeUrl"`
       CodeSave         string `json:"codeSave"`
       CodeRedirectUrl  string `json:"codeRedirectUrl"`
       Session          string `json:"session"`
       IsPost           string `json:"isPost"`
       Error            string `json:"error"`
       ErrorDescription string `json:"errorDescription"`
       Count            int        `json:"count"`
}

I'm really only using Code, id_token, and access_token. I could strip most of the others out.

This is definitely a hard problem to detect, don't know if it's possible. I checked for errors when I save the session, and
I always seem to get NIL back.

-Patrick.

Matt S

unread,
May 18, 2017, 3:52:04 PM5/18/17
to goril...@googlegroups.com
The encryption of the cookie value adds overhead - both base64 plus the signature (HMAC) add about 35% more bytes. gob's overhead is minimal in comparison but also adds up. 

There should be an error thrown when the size exceeds 4096 bytes, but depending on what other values are present for your domain, it may be less than that and the browser itself might reject the payload. 

Patrick McDowell

unread,
May 22, 2017, 7:41:45 AM5/22/17
to Gorilla web toolkit
I ended up storing the payload as a JSON string, and that seems to work, so I guess I found a work around.

The weirdest part was when stings stopped storing, it was somewhat unpredictable. Suddenly I'd notice
some items were not storing in the gob,  I didn't notice an error from the server side, just items didn't
show up.

Thanks again for the support.
Reply all
Reply to author
Forward
0 new messages