You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Session cookies will be splitted if they're too large. On logout ClearSessionCookies should remove
all cookies. That does not work if cookies are splitted due to naming
Expected Behavior
ClearSessionCookies should remove all cookies set on login.
Current Behavior
When a user logs in SetSessionCookie() is responsible for setting an cookie with user information. The cookie is
created by MakeSessionCookie(...) with provider specific information. If the length of the cookie is to large, it
will be split into several cookies which are named <cookie_name>_0, <cookie_name>_1, ...
-> SET: _oauth2_proxy_0, _oauth2_proxy_1
Cookies are deleted by creating an empty cookie with be same name that has already expired. The browser will remove the
old one. The ClearSessionCookie(...) calls MakeSessionCookie(...) to create the "delete"-cookie. This time is is called
without value (to create that empty cookie) resulting in an unsplit delete-cookie.
-> UNSET: _oauth2_proxy
Possible Solution
The ClearSessionCookie() method should search the request cookies for cookies that start with OAuthProxy.CookieName and
remove them
* fixes deletion of splitted cookies
* three minor adjustments to improve the tests
* changed cookie name matching to regex
* Update oauthproxy.go
Co-Authored-By: einfachchr <[email protected]>
* removed unused variable
* Changelog
Session cookies will be splitted if they're too large. On logout ClearSessionCookies should remove
all cookies. That does not work if cookies are splitted due to naming
Expected Behavior
ClearSessionCookies should remove all cookies set on login.
Current Behavior
When a user logs in SetSessionCookie() is responsible for setting an cookie with user information. The cookie is
created by MakeSessionCookie(...) with provider specific information. If the length of the cookie is to large, it
will be split into several cookies which are named <cookie_name>_0, <cookie_name>_1, ...
-> SET: _oauth2_proxy_0, _oauth2_proxy_1
Cookies are deleted by creating an empty cookie with be same name that has already expired. The browser will remove the
old one. The ClearSessionCookie(...) calls MakeSessionCookie(...) to create the "delete"-cookie. This time is is called
without value (to create that empty cookie) resulting in an unsplit delete-cookie.
-> UNSET: _oauth2_proxy
Possible Solution
The ClearSessionCookie() method should search the request cookies for cookies that start with OAuthProxy.CookieName and
remove them
Steps to Reproduce (for bugs)
We added a test to oauthproxy_test.go:
Context
This bug permits the logout. If the user reloads the page she will be logged in again.
Your Environment
The bug works in current versions
The text was updated successfully, but these errors were encountered: