fix(browser): Ensure user id is consistently added to sessions#19341
fix(browser): Ensure user id is consistently added to sessions#19341
Conversation
![cursor[bot]](https://avatars.githubusercontent.com/in/1210556?s=60&v=4){kind=small}
Codecov Results 📊Generated by Codecov Action |
size-limit report 📦
|
![sentry[bot]](https://avatars.githubusercontent.com/in/12637?s=60&v=4){kind=small}
node-overhead report 🧳Note: This is a synthetic benchmark with a minimal express app and does not necessarily reflect the real-world performance impact in an application.
|
Lms24
changed the title
Sentry.setUser calls
| isolationScope.addScopeListener(scope => { | ||
| const maybeNewUser = scope.getUser(); | ||
| // sessions only care about user id and ip address, so we only need to capture the session if the user has changed | ||
| if (previousUser?.id !== maybeNewUser?.id || previousUser?.ip_address !== maybeNewUser?.ip_address) { |
There was a problem hiding this comment.
Scope listener misses user changes with only email/username
Medium Severity
The scope listener condition only checks previousUser?.id and previousUser?.ip_address for changes, but updateSession in session.ts derives the session did from context.user.id || context.user.email || context.user.username. If Sentry.setUser({ email: 'test@test.com' }) is called without an id or ip_address, the listener won't detect the change (both comparisons evaluate to undefined !== undefined → false), so captureSession() is never called. The session internally has the did set, but the update is never sent to Sentry. The comment "sessions only care about user id and ip address" doesn't match the actual did derivation logic.
There was a problem hiding this comment.
That's intentional. The only fields picked from the user are the id and the ip_address (if ever set in the browser). So we only need to watch these for changes.
|
|
||
| While we're at it, if you're using Sentry in a Single Page App or meta framework, you might want to give the new `'page'` session lifecycle a try! | ||
| This new mode no longer creates a session per soft navigation but continues the initial session until the next hard page refresh. | ||
| Check out the [docs](TODO LINK) to learn more! |
There was a problem hiding this comment.
l: Just a reminder to not forget to set the link in the docs
Co-authored-by: Jan Peer Stöcklmair <jan.peer@sentry.io>
There was a problem hiding this comment.
Cursor Bugbot has reviewed your changes and found 2 potential issues.
Bugbot Autofix is OFF. To automatically fix reported issues with Cloud Agents, enable Autofix in the Cursor dashboard.
|
|
||
| While we're at it, if you're using Sentry in a Single Page App or meta framework, you might want to give the new `'page'` session lifecycle a try! | ||
| This new mode no longer creates a session per soft navigation but continues the initial session until the next hard page refresh. | ||
| Check out the [docs](TODO LINK) to learn more! |
There was a problem hiding this comment.
Placeholder TODO link in changelog entry
Medium Severity
The changelog contains a [docs](TODO LINK) placeholder that hasn't been replaced with an actual URL. This would be published as-is in the release notes, leaving users with a broken/meaningless link.
| import: createImport('init'), | ||
| gzip: true, | ||
| limit: '24.1 KB', | ||
| limit: '24.5 KB', |
There was a problem hiding this comment.
Bundle size increases in browser packages
Low Severity
Multiple browser bundle size limits were increased (e.g., treeshaken build from 24.1 KB to 24.5 KB, CDN bundles up by ~1 KB each). The increases come from adding getIsolationScope, scope listener logic, and getCombinedScopeData import into the session integration. Flagging per project rules — these may be unavoidable given the fix.
Additional Locations (2)
Triggered by project rule: PR Review Guidelines for Cursor Bot
3 participants
This PR fixes multiple bugs and problems around browser sessions, mostly related to user id assignment:
When calling
Sentry.setUser()on static pages (i.e. no soft navigations), the user id would never be added to sessions. This is because in static pages, we don't send an"exited"session update. The fix: We send a session update whenever the user is set on the isolationScope (see comment about limitations)When calling
Sentry.setUser()in a single page application (i.e. with soft navigations), we would update the initial session with the user data when starting a new session for a new navigation. However, we did not include the user id on the new session, because thegetCurrentScope().getUser() || getIsolationScope().getUser()check was flawed. The fix: we use ourgetCombinedScopeDatahelper to get the "correct" (read, consistently like in other telemetry items) user.It seems like we had an incorrect check that would skip creating a new sessions for the first soft navigation after the pageload (in the default
'route') session lifecycle. The fix: We no longer check forfrombeing undefined.In addition, I also added a new
waitForSessionhelper and refactored most session integration tests to use this helper. This allows us to more granularly listen to multiple session envelopes simultaneously without running into collision risks.As a result of these fixes, session counts could increase as a whole but also metrics like "crash free users" will likely change. I added a note to the changelog calling this out.
closes #19317