Mellon Cookie is lost in Internet Explorer

[alsalehf]

Hello,

we have configured our Apache using the mellon auth to use samle2.0 in our company.

Our test index page is redirected successfully after authentication in Edge. However, in IE11 which is used heavily in our company returns bad request error. The SSL error log says “User has disabled cookies or has lost the cookie before returning from SAML2.0 login server. Referer:[a web page]

I have used the developer tool network tab in IE and saw that mellon-cookie is set to cookietest at some point and never set to a session id later. The communication is stuck at the postResponse endpoint.

Please help. Thanks!

[thijskh]

I would check the settings of those cookies. Is the secure flag properly set and the domain and path correct?

[alsalehf]

I would check the settings of those cookies. Is the secure flag properly set and the domain and path correct?

Yes everything is set correctly when traced in the developers tool. The cookie secure is on. It works in Edge not in IE for some reason.

[thijskh]

Alright. In any case this is then an issue with that browser that we as Mellon project cannot really debug remotely. Maybe the developer toolbar can give some hints as to why the cookies are dropped.

[alsalehf]

I have seen another issue in the old repository where some users keep getting bad request but not sure how they resolved it. Is there a size limit for the cookie that mellon can define? Maybe IE is getting a very long header and thus dropping the cookie

[thijskh]

It should be evident from the cookies you can see whether they are "long", no?

[alsalehf]

It’s not that long. I just tried on edge again right now and got bad error. Sometimes it works and sometimes it doesn’t. I’m not sure where to begin to debug. Can you please help?

[thijskh]

I don't have access to IE11 so I cannot really debug something that happens entirely in that browser, I'm afraid.

[alsalehf]

The error occurred in edge as well so I don’t think it’s a browser issue. Apache error log is saying user has disabled cookie or has lost the cookie.

[workflo]

We also encounter this problem (mainly with Chrome) from time to time. Apache Log says User has disabled cookies, or has lost the cookie before returning from the SAML2 login server. and mellon-cookie has the value "cookietest". Retrying login does not work until the cookie is deleted manually or the browser is restarted.

I just encountered it with Chrome 87 / Linux today, but others have reported it for Chrome on other platforms as well. I cannot recall any reports concerning IE or Edge though (which does not prove anything).

"Certain" people seem to encounter this specific problem more often than others--which sounds quite weird. Maybe a race condition? It's very hard to get a handle on this one, because it happens so rarely.

We are currently using the following version of mod-auth-mellon: libapache2-mod-auth-mellon/stretch-backports,stretch-backports,now 0.14.2-1~bpo9+3 amd64

[workflo]

I finally solved my problem (which I could reproduce in Chrome >= 84 only):

MellonSecureCookie On
MellonCookieSameSite None

did the trick. We have a cross-domain situation here: IDP on idp.firstdomain.com and SP on sp.seconddomain.com. I still don't quite understand why Chrome treats mellon-cookie as 3rd-party, but it did and thus didn't send the mellon-cookie=cookietest back on the /mellon/login request. But, because of https://www.chromestatus.com/feature/5088147346030592 everything worked within the first 2 minutes after first invoking the login page but failed after this magic 2-minute window!

[rgriffogoes]

Just created a pull request based on my understanding of the documentation and of the code. With the change, the CookieTest will have SameSite=None regardless of the configuration.

As a workaround, I also did like @workflo and set the properties:

MellonSecureCookie On
MellonCookieSameSite None`

[vladsf]

This is due to POST response. Lax cookies are not sent to /mellon/postResponse. Only GET requests has cookies attached.

[moihn]

It seems now by default the cookietest will be sent with SameSite=None even if the MellonCookieSameSite is omitted in httpd.conf.

I have these commentted out:

# MellonSecureCookie On
# MellonCookieSameSite None

But my browser developer tool told me:

So finally, my SP cannot get this cookie and says:

User has disabled cookies, or has lost the cookie before returning from the SAML2 login server.

This behavior doesn't match with the message in above comment:

get SameSite=None regardless of samesite setting, unless samesite
property is disabled.

In my case, it is the "unless samesite property is disabled", and it should not set SameSite=None, am I right?

On the old 0.14 version, SameSite=None will not be set if I omit MellonCookieSameSite from httpd.conf, I can see that from Chrome developer tool of the same version of Chrome browser:

[lbenz]

@moihn are you using Okta ? i am facing same issue with exactly same apache log message User has disabled cookies, or has lost the cookie before returning from the SAML2 login server. Version of mellon is mod_auth_mellon-0.14.0-8 thus unable to use directives like MellonDiagnostic On or MellonCookieSameSite None.

[MarkJaroski]

We see this from time-to-time with AzureAD as the IDP. I'm one of the users who experiences it, in Chrome.

Since it was happening to me, I had presumed that it was because of cookie header overload because I do a lot of testing, but it seems to happen to other a handful of other users too.

[moihn]

@moihn are you using Okta ? i am facing same issue with exactly same apache log message User has disabled cookies, or has lost the cookie before returning from the SAML2 login server. Version of mellon is mod_auth_mellon-0.14.0-8 thus unable to use directives like MellonDiagnostic On or MellonCookieSameSite None.

No, it is not with Okta. Seems to be with PingIdentity SSO, not so sure as we are only at SP side.

[moihn]

I think this two lines that forced SameSite=None, which is the curprit: https://github.com/latchset/mod_auth_mellon/commit/7ef4ae72a8578475064eb66e3ed5703ccf6ee078#diff-f2861001cdce29984f5031aa6ff007f0390c449c818ba5052daf5abfdb20cc48R3268

If SameSite=None is needed, people should just configure MellonCookieSameSite None, the code shouldn't hardcode/force it.

[moihn]

I currently have to use # BrowserMatch "Chrom* " MELLON_DISABLE_SAMESITE=1 or SetEnv MELLON_DISABLE_SAMESITE 1 in httpd.conf to disable SameSite=None to be set

[sagarkhushalani]

We've been having the same issue, at least in Chrome and Edge. I'm going to try @moihn 's BrowserMatch setting above.

Our Mellon settings:

`AuthType Mellon MellonEnable auth MellonEndpointPath /mellon/ MellonSPMetadataFile /etc/httpd/saml/mellon_metadata.xml MellonSPPrivateKeyFile /etc/pki/tls/private/localhost.key MellonSPCertFile /etc/pki/tls/certs/localhost.crt MellonIdPMetadataFile /etc/httpd/saml/idp_metadata.xml MellonUser "${SAML_USER_ATTRIBUTE}" MellonSetEnvNoPrefix REMOTE_USER "${SAML_USER_ATTRIBUTE}"

RewriteEngine On RequestHeader unset "X-Forwarded-User" RequestHeader unset "X-Forwarded-Groups" Require valid-user RequestHeader set X-Remote-User expr=%{REMOTE_USER} RequestHeader set X-Forwarded-User expr=%{REMOTE_USER} `

The error in Apache:

"User has disabled cookies, or has lost the cookie before returning from the SAML2 login server"

We are using Azure AD as our IDP.

[piotrp]

The issue seems to be caused by forcing testcookie to be always sent as SameSite=None, even on not-encrypted connections. Using SameSite=None MUST be accompanied by Secure (which implies HTTPS), and some browsers (Chromium-based?) ignore cookies with invalid flags.

@moihn thanks for your workaround 👍