Closed sschellh closed 1 year ago
/cc @pedroigor (oidc), @sberyozkin (oidc)
@sschellh If we have a malformed session cookie then it can only happen if someone tried it deliberately. I agree though 500
is not good, should be 401
Hi @sberyozkin in our case it happend because another application (within the same company) has registered its q_session cookie under the wrong domain (they were using example.com instead of app_one.example.com). this other app uses encrypted cookies. the q_session cookie now collides and renders our application (running our app_two.example.com) dysfunctional. The user can only recover by deleting the cookie (what users don't know).
While the root cause of the "malformed" cookie is surely the other application, such a misconfiguration should not cause our application to block. The fact that this malformed cookie is not deleted is the main trouble and what makes this defect important.
If 401 is returned, then also the cookie is deleted and user can recover be refreshing the page.
I agree though 500 is not good, should be 401
+1
Describe the bug
When using quarkus-oidc, a malformed value of the q_session cookie can result in an internal server error.
Expected behavior
Malformed value of a q_session cookie never causes an internal server error, but only a "not authenticated" response. Instead, the cookie is deleted such that users can recover from the presence of a malformed cookie.
Actual behavior
Malformed q_session cookie causes internal server error.
How to Reproduce?
Use following settings:
Usually, the q_session cookie should have the format {id_token}|{access_token}|{refresh_token} However, now manipulate the q_session cookie such that is has the following format: {id_token} (i.e. remove the bars |) (This is the format the q_session cookie has when encryption is activated for instance).
The application response with Internal Server Error, caused by ArrayIndexOutOfBoundsException.
Output of
uname -a
orver
No response
Output of
java -version
No response
GraalVM version (if different from Java)
No response
Quarkus version or git rev
3.2.3
Build tool (ie. output of
mvnw --version
orgradlew --version
)No response
Additional information
No response