Home → Problems →

Auto login cookies

• Edit

Patrick McEvoy

10 Apr, 2009 04:27 PM

We're having problems implementing this, getting "Sorry, there was an error logging you in from Clubhouse's cookies."

Is there anyway to find out what that error was? :)

I've squashed a few bugs from our original code when looking for what could be wrong, and I'm sure things are right at our end now.

Also as far as I'm aware this isn't correct, it's the other way around!

Since you're setting cookies on ".yourapp.com" you'll need to make sure you're not logging people in on "www.yourapp.com", because browser security settings won't let the user create a wildcard cookie.

We're logging all people in on login.clubhouseapp.com, and all our accounts have unique subdomains, support subdomain should be no different....

1. Support Staff 1 Posted by Courtenay on 10 Apr, 2009 06:30 PM

   

   If the cookies are all there and being set (you can determine this by inspecting them in the browser), the "error" is basically that your hmac signed string (tender_hash) doesn't match up. What language are you coding this in?

   • Edit

2. 2 Posted by Patrick McEvoy on 10 Apr, 2009 07:00 PM

   

   Yeah the cookies are there, using firecookie to check.

   It's in C#, however I've used the test data ('monkey', etc) at the bottom of your article to confirm that the hmac is right...

   • Edit

3. 3 Posted by Patrick McEvoy on 10 Apr, 2009 07:25 PM

   

   http://monoport.com/40349

   • Edit

4. 4 Posted by Patrick McEvoy on 14 Apr, 2009 04:32 PM

   

   Any new ideas on this one?

   • Edit

5. Support Staff 5 Posted by Courtenay on 14 Apr, 2009 07:21 PM

   

   You're sure you are using the correct secret?

   • Edit

6. Support Staff 6 Posted by Courtenay on 14 Apr, 2009 07:26 PM

   

   We're having Rick (who speaks C#, at least a variant of it) take a look.

   • Edit

7. Support Staff 7 Posted by Courtenay on 14 Apr, 2009 07:28 PM

   

   Can you paste all the cookie values too? That will help us debug.

   • Edit

8. Support Staff 8 Posted by Courtenay on 14 Apr, 2009 07:30 PM

   

   Also, what exact string value are you passing to the HMAC function?

   • Edit

9. 9 Posted by rick on 14 Apr, 2009 08:12 PM

   

   Hey Patrick, I'm installing mono so I can try this out.

   • Edit

10. 10 Posted by Patrick McEvoy on 14 Apr, 2009 09:12 PM

    

    Thanks guys, this effort is muchly appreciated!

    I'm pretty sure I'm using the right secret, but I enabled it way back when you were in (or just out off) private beta, so perhaps reseting it might clear things up?!

    Cookies...

    tender_hash=CE29AB5FCA189F768236F8D1BE28EEBB6B0F532B; expires=Tue, 28 Apr 2009 21:04:45 GMT; path=/; domain=.clubhouseapp.com tender_expires=1240956361; expires=Tue, 28 Apr 2009 21:04:45 GMT; path=/; domain=.clubhouseapp.com tender_email=[email blocked]; expires=Tue, 28 Apr 2009 21:04:45 GMT; path=/; domain=.clubhouseapp.com

    Code to gen hash, set the cookies http://monoport.com/40406

    • Edit

11. Support Staff 11 Posted by Courtenay on 14 Apr, 2009 09:15 PM

    

    What's epoch.toString look like?

    • Edit

12. 12 Posted by Patrick McEvoy on 14 Apr, 2009 09:16 PM

    

    Checked it, it all matches up just like the cookie value... 1240956361

    • Edit

13. Support Staff 13 Posted by Courtenay on 14 Apr, 2009 09:17 PM

    

    Hmm, your tender hash is all upper cased.

    • Edit

14. Support Staff 14 Posted by Courtenay on 14 Apr, 2009 09:17 PM

    

    Try lower-casing your tender_hash.

    • Edit

15. 15 Posted by Patrick McEvoy on 14 Apr, 2009 09:17 PM

    

    I wrote a little console app to test it all, not got it now tho, it's on my laptop at work

    • Edit

16. Support Staff 16 Posted by Courtenay on 14 Apr, 2009 09:18 PM

    

    We definitely require your tender_hash to be lower cased.

    • Edit

17. 17 Posted by Patrick McEvoy on 14 Apr, 2009 09:19 PM

    

    Ah!!! I'm gonna pop that it svn and deploy to our production box, I'll get back to you

    • Edit

18. 18 Posted by Patrick McEvoy on 14 Apr, 2009 09:36 PM

    

    Yep, we're working now... thanks guys...

    Also I've just seen how you take the first part of the email address as an initial name. Why not let us set 'tender_fullname' initially till (or if) tender gets a change in the profile. To be fair most users are lazy and won't bother setting a password or updating there name as they don't have too. However someone might get confused not seeing there name there. We deal with wide range of user ages from 12-70+ and every little helps to ensure we do (and don't!!) get support tickets!!

    • Edit

19. Support Staff 19 Posted by Courtenay on 01 May, 2009 11:27 PM

    

    Patrick,

    rtfm :) tender_name is how you set that. https://help.tenderapp.com/faqs/setup-installation/include-custom-information-from-your-site

    • Edit

20. Support Staff 20 Posted by Courtenay on 01 May, 2009 11:30 PM

    

    If you want to ensure the users don't set their own name, you want to add tender_name to the hmac at the end. So you'd sign (in ruby)

    generate_hmac([self.class.support_domain, @user.email, expires, name_field].compact.join("/"))

    (or in pseudocode)

    was: help.mysite.com/[email blocked]/1244023432

    becomes: help.mysite.com/[email blocked]/1244023432/Mr Foo Bar

    We actually check for both versions.

    • Edit

21. Courtenay closed this discussion on 01 May, 2009 11:30 PM.