Skip to content

fix: Only set SESSION_COOKIE_DOMAIN in multi-tenant mode #884

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Closed
bokelley wants to merge 1 commit into from
Closed

fix: Only set SESSION_COOKIE_DOMAIN in multi-tenant mode #884

bokelley wants to merge 1 commit into from

Conversation

@bokelley
Copy link
Contributor

@bokelley bokelley commented Dec 26, 2025
edited
Loading

Problem

Login fails in single-tenant deployments (Fly.io, Cloud Run, Docker) because session cookies are rejected due to domain mismatch.

Root Cause

src/admin/app.py:122 always sets SESSION_COOKIE_DOMAIN to a hardcoded multi-tenant domain (.sales-agent.scope3.com), even when ADCP_MULTI_TENANT=false.

In single-tenant mode, Flask should use the actual request domain for session cookies instead of a hardcoded domain.

Fix

  • Only set SESSION_COOKIE_DOMAIN when ADCP_MULTI_TENANT=true
  • In single-tenant mode (default), Flask automatically uses the request domain
  • Add documentation explaining session cookie behavior in both modes

Impact

  • Fixes authentication for all single-tenant deployments
  • No change to multi-tenant behavior
  • Tested with Wonderstruck Fly.io deployment

Testing

  1. Deploy to Fly.io with ADCP_MULTI_TENANT=false (default)
  2. Visit /login with ADCP_AUTH_TEST_MODE=true
  3. Verify login succeeds and session persists
  4. Verify cookie domain matches actual deployment domain

Related to #885 (nginx configuration issue for single-machine deployments)

@bokelley
fix: Only set SESSION_COOKIE_DOMAIN in multi-tenant mode
1db8702 
Fixes login issues in single-tenant deployments where session cookies
were being rejected due to domain mismatch.

In single-tenant mode (ADCP_MULTI_TENANT=false), Flask should use the
actual request domain for session cookies rather than a hardcoded
multi-tenant domain.

This affects all single-tenant deployments including Fly.io, Cloud Run,
and Docker deployments.

Fixes authentication for single-tenant publishers deploying their own
sales agent instances.
@bokelley bokelley mentioned this pull request Dec 26, 2025
Merged
@bokelley
Copy link
Contributor Author

bokelley commented Dec 26, 2025

Superseded by #886

@bokelley bokelley closed this Dec 26, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@bokelley