Mellon Cookie

[lmuhlha]

I have a question relating to when mellon-cookie gets set to cookietest: "5.10. Mellon Cookie Mellon Session information is communicated via a cookie. The cookie name defaults to mellon-cookie but may be changed via the Mellon directive MellonVariable. Mellon always forms the cookie name by appending the value of MellonVariable to the string mellon- to prevent name collisions. Thus the actual default value of MellonVariable is cookie.

When Mellon first begins the authentication process it sets the mellon cookie value to cookietest. The primary purpose of the cookietest value is to confirm cookies are properly returned by the browser, Mellon will not work correctly unless cookies are enabled. The cookietest value also serves as a temporary value indicating an authentication flow is in progress but has not yet completed.

After Mellon successfully authenticates a user it establishes a session for the user and generates a unique session ID which it sets as the value of the Mellon cookie. When Mellon receives a request for a protected resource it looks for the Mellon cookie in the HTTP request headers. Mellon then uses the Mellon cookie value as a session ID and attempts to look-up that session using that ID. If the session is found and it remains valid, Mellon immediately grants access. A Mellon session will expire, see Mellon Session for information concerning session lifetime."

We are using mod_auth_mellon with Okta as an IDP for our ssoproxy for a little while now. I've recently started seeing an issue where users will get "Bad Request" when trying to access an internal service intermittently. While looking in to this, I noticed that in these cases cookietest is stuck as the mellon-cookie. When the user clears their cookies, they are able to get to the app and the cookie becomes the session ID as expected. Was wondering if you've seen behavior like this before and what you think could be causing it?

Thanks!

[olavmrk]

Hi,

is the failing URL by any chance the /mellon/postResponse endpoint? In that case, it would explain the cookie, since that is the URL the IDP sends the authentication response to.

In any case, you should check the contents of the Apache error log files -- if mod_auth_mellon returns a 400 bad request, it should have logged some sort of error to that log.

[lmuhlha]

Hey, Thanks for the reply. So for example in the error log for kibana-shield.spotify.net_error_ssl.log which is for the site kibana-shield.spotify.net, we get errors related to other internal sites behind mod_auth_mellon & okta:

[Mon Apr 09 16:43:58.765124 2018] [auth_mellon:error] [pid 5221:tid 140535649969920] [client 10.22.20.20:42816] Invalid Audience in Conditions. Should be: https://authenticator.spotify.net/mellon/metadata, referer: https://spotify.okta.com/app/spotifyprod_kibanashieldsn_1/exk6eoaa6fZNstnwg1t7/sso/saml?SAMLRequest=

[Mon Apr 09 17:10:44.660258 2018] [auth_mellon:error] [pid 28672:tid 140535801038592] [client 10.22.20.20:37993] Invalid Audience in Conditions. Should be: https://rooms.spotify.net/mellon/metadata, referer: https://spotify.okta.com/app/spotifyprod_kibanashieldsn_1/exk6eoaa6fZNstnwg1t7/sso/saml?SAMLRequest=

[Tue Apr 10 13:47:51.433142 2018] [auth_mellon:error] [pid 18563:tid 139756985886464] [client 10.22.20.20:43793] Invalid Audience in Conditions. Should be: https://scoreboard.spotify.net/mellon/metadata, referer: https://spotify.okta.com/app/spotifyprod_kibanashieldsn_1/exk6eoaa6fZNstnwg1t7/sso/saml?SAMLRequest=

Is it possible that the session IDs are getting re-used or something is cached? I was going to attempt to set MellonCacheSize to 500 or higher thinking it might remediate the issue since I have also seen:

[Mon Apr 09 16:47:56.335912 2018] [auth_mellon:notice] [pid 7511:tid 140193654580992] Dropping LRU entry entry with age = 3572s, which is less than one hour. It may be a good idea to increase MellonCacheSize. [Mon Apr 09 16:47:56.336008 2018] [auth_mellon:warn] [pid 7511:tid 140193654580992] [client 199.48.228.95:50393] AttributeValue element was empty., referer: https://spotify.okta.com/app/spotifyprod_jirasn_4

[olavmrk]

At the point where you get the errors mod_auth_mellon haven't tried to load any sessions. It is in the process of validating a login response from the IDP, which it will use to create a new session.

The errors are caused by a mismatch between the Audience the IDP sets in its authentication response and the entityID that mod_auth_mellon thinks that it has. This would indicate some sort of configuration error, either in mod_auth_mellon or the IDP.

My suggestion is to try to reproduce the problem while using a browser extension that decodes SAML messages, and checking the issuer and recipient for all messages to make sure that they are correct.

[lmuhlha]

It's challenging to have the SAML tracer open while this occurs because it is fairly random / sporadic. But thanks for this info, this is very helpful!

[gaurish-sharma]

Hi Imuhlha, just checking if you were able to get to the root cause of this issue? I am also getting a similar error(400, Bad Request and stuck at mellon/postResponse). This is very random and generally it works, but some users do experience it at sometimes.

Let me know if you were able to find the cause and fix for this issue.

Thanks, Gaurish

[lmuhlha]

Hey @gaurish-sharma , We were eventually able to figure out the issue. We had an internal site that was simply the base URL that was triggering this behavior.

For example: test.example.net test2.example.net example.net

So if these were the 3 sites available, any time someone would visit example.net, they would start getting the errors.

We had to add MellonVariable "<%= $host %>" to our config file to remediate the issue.

[gaurish-sharma]

Thanks much for your response