search

FusionAuth / fusionauth-issues

FusionAuth issue submission project
https://fusionauth.io
90 stars 12 forks source link

An empty name and empty value cookie is being set (HttpOnly) #2766

Open ivkremer opened 1 month ago

ivkremer commented 1 month ago

Unused no-name and no-value cookie is set

Description

When I'm navigating to e.g. my-sso.product.com/oauth2/register, there is such a header being set among others:

set-cookie: HttpOnly

I believe there could be a cookie with its name and value and also HttpOnly option but somehow name and value are empty strings and instead of not creating a corresponding header, FA sets such an empty cookie.

Observed versions

1.50.0

Steps to reproduce

  1. Navigate to /oauth2/register?...;
  2. There are three cookies being set among the response headers: 
    set-cookie: federated.csrf=xxx; HttpOnly; Path=/; SameSite=Lax; Secure
set-cookie: fusionauth.sso=yyy; HttpOnly; Max-Age=2147483647; Path=/; SameSite=Lax; Secure
set-cookie: HttpOnly

Expected behavior

Such a header doesn't exist:

set-cookie: HttpOnly

Platform

Any browser.

Additional context

Some browsers, e.g. Safari would just ignore such a cookie while some other, e.g. Google Chrome would set a cookie with an empty name and HttpOnly as a value.

robotdan commented 3 weeks ago

Thanks for opening the issue @ivkremer and thank you for using FusionAuth! We'll look into this!