[keycloak-dev] keycloak-gatekeeper - Cookies being applied to subdomains

Daniel Martin Daniel.Martin at digital.homeoffice.gov.uk
Fri Jun 14 08:04:37 EDT 2019


Hi,

I believe there is a bug in the keycloak-gatekeeper in that when it sets cookies they apply to the subdomains of the host. This causes any other services on those subdomains that are running keycloak-gatekeeper to fail when the cookie is present.

For example, let's say we are running keycloak-gatekeeper on the following URLs:

  1.  mydomain.com
  2.  sub.mydomain.com

If a user logs in to mydomain.com and then tries to visit sub.mydomain.com the service will fail (infinite redirect loop) as the cookie from the first service will be applied to the second service.

In terms of the cookie, the problem is caused by this piece of code: https://github.com/keycloak/keycloak-gatekeeper/blob/master/cookies.go#L30-L34

If you read section 4.1.2.3 of https://tools.ietf.org/html/rfc6265#section-4.1.2 it implies that if you set the 'Domain' attribute in that fashion it will propagate down to subdomains.

It seems that to prevent this the 'Domain' attribute should simply be omitted.

I've created a PR for this here: https://github.com/keycloak/keycloak-gatekeeper/pull/480

Do you agree? If so, can we get this fix merged?

Best regards,


Daniel Martin.

Please ensure that any communication with the Home Office is via an official account ending with digital.homeoffice.gov.uk or homeoffice.gsi.gov.uk. This email and any files transmitted with it are private and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please return it to the address it came from telling them it is not for you and then delete it from your system. Communications via the digital.homeoffice.gov.uk domain may be automatically logged, monitored and/or recorded for legal purposes. This email message has been swept for computer viruses.


More information about the keycloak-dev mailing list