Adaptive Content Auth Failure: Unexpected Duplicate gitbook-visitor-token Cookie Created

[Saksham573001]

Bug description

I am currently implementing GitBook Adaptive Content (Visitor Authentication) for my documentation hosted at doc.avaamo.com. My implementation involves sending the gitbook-visitor-token via cookies to authenticate users.

The Issue: Unexpectedly, a second, separate cookie is being generated on the specific domain doc.avaamo.com.

Intended Behavior: The browser should retain the gitbook-visitor-token I set (containing the signed JWT).

Observed Behavior: A duplicate cookie with the same name (or similar name pattern) and a generic UUID value is automatically created on the subdomain.

Impact: GitBook prioritizes this auto-generated cookie over the valid authentication token. As a result, visitor authentication fails.

Troubleshooting Performed:

I confirmed that if I manually delete the unexpected "UUID" cookie via browser dev tools, GitBook correctly picks up the valid token and authentication works as expected.

I have verified that my application logic is not generating this second cookie.

Environment:

Domain: doc.avaamo.com

Auth Method: Adaptive Content via Cookies (gitbook-visitor-token)

Additional context

[Saksham573001]

@BrettJephson @gregberge @sebastiangraz would mean a lot if any one of you could help me with this

[addisonschultz]

Hi @Saksham573001 - can you share more info on how you’re configuring the Authenticated Access login? You should be passing int the JWT via URL: https://gitbook.com/docs/publishing-documentation/authenticated-access/setting-up-a-custom-backend#id-2.-sign-and-pass-a-jwt-token-to-gitbook

[Saksham573001]

Hi @addisonschultz - this cookie is mostly for the adaptive content in gitbook.. was following this documentation for your reference https://gitbook.com/docs/publishing-documentation/adaptive-content/enabling-adaptive-content/cookies i was passing signed jwt token in gitbook-visitor-token that is working fine also only issue is that second token with uuid gets created automatically which somehow causes the issue.. please refere screenshot to go through the cookie token.. let me share my ruby code for your reference

`visitor_claims = {
isAvaamoUser: avaamo_internal_user?
}

token = JWT.encode(
  visitor_claims.merge({
    iat: Time.now.to_i,
    exp: (Time.now + Constants::GitBook::VISITOR_TOKEN_EXPIRY).to_i
  }),
  ENV['GITBOOK_SIGNING_KEY'],
  'HS256'
)

cookies[Constants::GitBook::VISITOR_COOKIE_NAME] = common_cookie_options.merge({
  value: token,
  expires: Constants::GitBook::VISITOR_TOKEN_EXPIRY
})
`

[Saksham573001]

Hi @addisonschultz , is there any update regarding.. it will mean a lot if you could find why this was happening exactly?

[Saksham573001]

This might also be due to domain issue in documentation it was mentioned the domain should preferably be .avaamo.com this new cookie being created has domain docs.avaamo.com should i try sending this token for domain docs.avaamo.com

[Saksham573001]

i think i found the issue i am calling gitbook like this https://docs.avaamo.com/user-guide-test-private/?jwt_token=my_jwt_token and in cookies sending gitbook-visitor-token=my_gitbook-visitor-token this now i think so gitbook creates a new cookie key gitbook-visitor-token+uuid maybe for space specific session but the token inside gitbook-visitor-token+uuid is my 'my_jwt_token' not 'my_gitbook-visitor-token'. is it because i'm sending the 'my_jwt_token' in params? any kind of help will be appreciated.

[addisonschultz]

Basically how the login flow should work

• You visit docs.avaamo.com
• You are met with a sign in screen, you sign in
• You should use a similar set up to step 3 in this page: https://gitbook.com/docs/publishing-documentation/adaptive-content/enabling-adaptive-content/cookies#signed-cookie
• After setting this up and redirecting, it should load your docs, and you should have the claims attached to the right cookie

[Saksham573001]

@addisonschultz I have followed this doc only and as mentioned in the doc that gitbook-visitor-token is visible to me in the cookies of browers which is right.. problem occurs when a new jwt token with same name is created by gitbook with different token that does not have my adaptive config.. can you check in gitbook code when is gitbook creating this gitbook-visitor-token manually from there end and how can i avoid this duplicate creation.. if you're free for a call anytime i can explain this issue to you there too and probably we can discuss work around to that.. thanks