[BUG] Two auth_tkt cookies created after login

keitaroinc / ckanext-saml2auth

CKAN extension to enable Single Sign-On (SSO) for CKAN data portals via SAML2 Authentication.

GNU Affero General Public License v3.0

23 stars 29 forks source link

[BUG] Two auth_tkt cookies created after login #58

Open oyvindskj opened 3 years ago

oyvindskj commented 3 years ago

Describe the bug Using Azure AD for SSO with CKAN, two auth_tkt cookies are created after login. They are equal, but with different domain:

cookie1: test-data.mydomain.com
cookie2: .test-data.mydomain.com

When logging out, only cookie2 is deleted, leaving cookie1 to keep my session towards CKAN alive. If I try logout again, Azure says I am already logged out and cookie1 remains active.

ckanext-saml2auth version affected v1.2.1

Expected behaviour To be logged out of CKAN when I click "Log out"

duskobogdanovski commented 3 years ago

Hey @oyvindskj, could you please provide more details because i'm not able to reproduce the issue, thanks.

oyvindskj commented 3 years ago

Hi @duskobogdanovsk. What I see is that when Azure does the callback POST https://test-data.mydomain.com/acs which then returns 302 with header location: https://test-data.mydomain.com/user/me, there are 3 response headers like this:

set-cookie: auth_tkt="some-value"; HttpOnly; Path=/; SameSite=Lax; Secure
set-cookie: auth_tkt="some-value"; Domain=test-data.mydomain.com; HttpOnly; Path=/; SameSite=Lax; Secure
set-cookie: auth_tkt="some-value"; Domain=.test-data.mydomain.com; HttpOnly; Path=/; SameSite=Lax; Secure

some-value is equal across the three headers. I looked in the SAML body that was posted, but could not find any .test there. Can it be some misconfiguration of our CKAN?

duskobogdanovski commented 3 years ago

@oyvindskj, the leading dot means that the cookie is valid for subdomains as well; nevertheless recent HTTP specifications (RFC 6265) changed this rule so modern browsers should not care about the leading dot. The dot may be needed by old browser implementing the deprecated RFC 2109. Could you please verify that after you log out: ckan and auth_tkt cookies are deleted?

oyvindskj commented 3 years ago

@duskobogdanovski This is described in the initial issue: Only one of the two auth_tkt cookies are deleted. Also, the ckan cookie remains. I am using Chrome 93.0.4577.82.

mbocevski commented 3 years ago

@oyvindskj this is quite peculiar, cause the behavior is correct, cookies are set and managed by core CKAN, you can see that even tests expect the same behavior https://github.com/ckan/ckan/blob/0ab924d5ea331625bd61a805f23c68a17f028193/ckan/tests/lib/test_auth_tkt.py. However it could be a real bug/issue, so would be great to know which CKAN core version you're running.

oyvindskj commented 3 years ago

2.9.3 is our CKAN version @mbocevski

/api/3/action/status_show gives { "success": true, "result": { "site_url": "https://test-data.mydomain.com", "ckan_version": "2.9.3", "error_emails_to": null, "locale_default": "nb_NO", "extensions": [ "scheming_datasets", "pages", "dcat", "stats", "text_view", "image_view", "recline_view", "recline_graph_view", "recline_grid_view", "recline_map_view", "datastore", "datapusher", "resource_proxy", "pdf_view", "hidegroups", "saml2auth" ] } }

I removed two extensions we have developed ourself.

oyvindskj commented 3 years ago

Let me know if there is something I can do to help. I tried with Edge as well - same behaviour.