In rails 5 both flash and session are empty in controller after coming back from google auth

Question

I am using https://github.com/basecamp/google_sign_in to add google auth to my large rails app.

The auth flow in the gem is:

1. user clicks on button that sends them to the authorization controller.
2. authorization controller then sets 2 vars into flash and redirects to the google oauth consent form.
3. User consents and is sent back to the callback url.
4. The callback controller from google_sign_in should then be able to read the content of flash and verify the callback then redirecting again to user code to make user of the auth token.

The problem is that flash and session are both empty in the callback controller.

What would cause rails to empty out flash and the session on the returning call from google?

Answer 1

This was caused by the same site policy being set to strict. Setting it to lax allows GET redirects to provide flash and other cookies.

The strict setting was the default in rails but was changed to lax because GET redirect are essentially broken with the strict policy.

Example:

Cookies won't be set on redirect from other domains:

Rails.application.config.session_store :cookie_store, key: 'your-session', same_site: :strict 

Cookies will be set on GET redirects:

Rails.application.config.session_store :cookie_store, key: 'your-session', same_site: :lax