search

authgear / authgear-server

Open source alternative to Auth0 / Firebase Auth
https://www.authgear.com
Apache License 2.0
81 stars 36 forks source link

Easy to trigger invalid session #3552

Open fungc-io opened 8 months ago

fungc-io commented 8 months ago

Problem

It's easy to trigger the "Direct Access disallowed" in the web apps for example, user quit and reopen the mobile browser. They will see a cryptic message

Direct access to this page is disallowed

This page can only be accessed via the authorization endpoint.

Proposed change

  1. Change the message to a more user-friendly one
    1. To be handled in DEV-350 : Improve error page for CSRF Error page​
  2. Switch to a Max-Age cookie of 5 minutes. Each request will extend the age by 5 minutes.

Please also research if giving up session cookie is ok security-wise

louischan-oursky commented 3 months ago

Are we going to change the message only? Another concern is that the back to login button does not work for native apps. I think we need discussion on how we are going to fix this problem.

fungc-io commented 2 months ago

We decide to separate the error case and the real direct access case:

The real direct access case will be handled in DEV-1442 : Endpoint Direct Access behaviour​

In this issue, we shall focus on improving the error when the session is invalid, and reduce the chance of it happening.