Azure-Samples / ms-identity-python-webapp

A Python web application calling Microsoft graph that is secured using the Microsoft identity platform
MIT License
298 stars 143 forks source link

Issue on clearing the previous logged in cookies #59

Closed skyskitter closed 3 years ago

skyskitter commented 3 years ago

Following the steps to hook with my application, after a successful login and logout, user can login with fake account and without entering any password. The name logged in is the same as previous login. I submitted a support request to microsoft and it seems the login information inside the cookies is not properly cleared.

Any idea on this issue? Thanks a lot!

rayluo commented 3 years ago

How did your app handle the "login information inside the cookies"? Currently, this sample aggressively wipes out the entire session, also this sample does not directly store any info in cookie. Did YOUR app somehow maintain some info in your cookie?

skyskitter commented 3 years ago

Thanks for your reply, I did not do any code change except from update the application related information in app_config.py. Does msal also write something in the cookie? If so is it the responsibility of the app to clean it up?

Followings are words from microsoft support: "While working with you on this, it was discussed that the app does not provide session clean-up in an expected manner. "

rayluo commented 3 years ago

Does msal also write something in the cookie? If so is it the responsibility of the app to clean it up?

MSAL itself does not write anything to anywhere. It is this flask-powered sample app, that stores the current login information into a "session". However, this app already clean it up, in the code snippet I linked to in my previous response.

words from microsoft support: "... it was discussed that the app does not provide session clean-up in an expected manner. "

I was not in such conversation, so I do not know the context.

At this point, I feel like the only way to have a productive conversation is for you to provide step-by-step detail to reproduce the issue. Based on what you mentioned so far, can you confirm or fill in the following steps?

  1. Clone/download this sample, WITHOUT any change to its app.py
  2. Modify app_config.py with my configuration (Note: Can you at least tell us what kind of config you used? Are you using a specific AAD tenant? or MSA? or B2C? etc.)
  3. ...?
  4. after a successful login and logout
  5. "user can login with fake account" - BUT HOW? Wouldn't this app bring you to the AAD sign-in page? - "and without entering any password. The name logged in is the same as previous login." ???
skyskitter commented 3 years ago

@rayluo Thanks for your effort, please see my answer below based on my knowledge till now.

  1. Clone/download this sample, WITHOUT any change to its app.py -> yes
  2. Modify app_config.py with my configuration (Note: Can you at least tell us what kind of config you used? Are you using a specific AAD tenant? or MSA? or B2C? etc.) -> I am using my company AAD tenant, not B2C. The AAD is redirecting the login request to a federated ADFS Server.
  3. after a successful login and logout "user can login with fake account" - BUT HOW? Wouldn't this app bring you to the AAD sign-in page? - "and without entering any password. The name logged in is the same as previous login." ??? -> It is correct. For now we know the user name and password is saved inside the browser and on next login, it automatically feed the login form from federated ADFS Server. If I close all opened browsers and reopen again, everything goes normal. The unknown thing is where they are saved. Should not be the cookies or browser password records as tested. However, clearly for now it is not caused by this python example. Thanks again.
rayluo commented 3 years ago

Thanks for your following up with those info. Yes, there could be multiple separated "layers" that affect the login experience:

Based on the conversation so far, yes we agree with your conclusion that "it is not caused by this python example". Thank you.