[keycloak-dev] keycloak-gatekeeper - Cookies being applied to subdomains

Daniel Martin Daniel.Martin at digital.homeoffice.gov.uk
Mon Jun 17 12:41:19 EDT 2019 

Hi Bruno,

I've created at JIRA at https://issues.jboss.org/browse/KEYCLOAK-10668 and updated the PR to reference it.

Best regards,


Daniel.
________________________________
From: Bruno Oliveira <bruno at abstractj.org>
Sent: 14 June 2019 19:45
To: Daniel Martin
Cc: keycloak-dev at lists.jboss.org
Subject: Re: [keycloak-dev] keycloak-gatekeeper - Cookies being applied to subdomains

Hi Daniel, thanks for reporting this. As we discussed on that PR, please
file a Jira adding the steps to reproduce, affected version and
everything that's recommended in the contribution guidelines. So we can
start to look at the issue.

At first glance, it looks like a bug.

On 2019-06-14, Daniel Martin wrote:
> Hi,
>
> I believe there is a bug in the keycloak-gatekeeper in that when it sets cookies they apply to the subdomains of the host. This causes any other services on those subdomains that are running keycloak-gatekeeper to fail when the cookie is present.
>
> For example, let's say we are running keycloak-gatekeeper on the following URLs:
>
>   1.  mydomain.com
>   2.  sub.mydomain.com
>
> If a user logs in to mydomain.com and then tries to visit sub.mydomain.com the service will fail (infinite redirect loop) as the cookie from the first service will be applied to the second service.
>
> In terms of the cookie, the problem is caused by this piece of code: https://github.com/keycloak/keycloak-gatekeeper/blob/master/cookies.go#L30-L34
>
> If you read section 4.1.2.3 of https://tools.ietf.org/html/rfc6265#section-4.1.2 it implies that if you set the 'Domain' attribute in that fashion it will propagate down to subdomains.
>
> It seems that to prevent this the 'Domain' attribute should simply be omitted.
>
> I've created a PR for this here: https://github.com/keycloak/keycloak-gatekeeper/pull/480
>
> Do you agree? If so, can we get this fix merged?
>
> Best regards,
>
>
> Daniel Martin.
>
> Please ensure that any communication with the Home Office is via an official account ending with digital.homeoffice.gov.uk or homeoffice.gsi.gov.uk. This email and any files transmitted with it are private and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please return it to the address it came from telling them it is not for you and then delete it from your system. Communications via the digital.homeoffice.gov.uk domain may be automatically logged, monitored and/or recorded for legal purposes. This email message has been swept for computer viruses.
> _______________________________________________
> keycloak-dev mailing list
> keycloak-dev at lists.jboss.org
> https://lists.jboss.org/mailman/listinfo/keycloak-dev

--

abstractj

Please ensure that any communication with the Home Office is via an official account ending with digital.homeoffice.gov.uk or homeoffice.gsi.gov.uk. This email and any files transmitted with it are private and intended solely for the use of the individual or entity to whom they are addressed. If you have received this email in error please return it to the address it came from telling them it is not for you and then delete it from your system. Communications via the digital.homeoffice.gov.uk domain may be automatically logged, monitored and/or recorded for legal purposes. This email message has been swept for computer viruses.

More information about the keycloak-dev mailing list