-
Notifications
You must be signed in to change notification settings - Fork 600
OpenIdConnect handler single sign out doesn't delete cookie cleanly if cookie is chunked #1779
Comments
Hmm, remote signout isn't any different from a normal signout. Security/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs Line 148 in 38004ce
I'd be curious to see a Fiddler trace of the signout. |
Here is trace using chrome devtool. The response seems to have only cleared the main cookie:
|
I need to see both the request and response. |
|
There are no cookies in that request. The server can't delete the chunks unless it knows how many there are. Why are there no cookies being sent? |
The flow is this:
I am guessing the logged out page is from token server and it doesn't have access to app2's cookie. App2's openId connect handler should handle deleting its cookies (including chunks) when responding to the iframe. But I am only seeing app2's main cookie deleted. |
What happens if you disable samesite (CookieAuthenticationOptions.Cookie.SameSite = SameSiteMode.None)? That may be related since the signout flow is originating from app1. |
Wow, that fixed it! Thanks! |
Because it doesn't know if there are chunks. It needs the request cookie to tell it there are chunks. |
Any pointer to whether this samesite mode (none) has potential security risk? |
This is for the front-end channel implementation of OpenIDConnect single sign out.
With a sample client similar to https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Samples/tree/master/samples/Mvc/Mvc.Client
Make sure to save token and add some claims to make the result cookie to be larger than 4k. Sign out from the token server, the client auth cookie should be deleted completely. But only the main cookie is deleted. The two chunks of the main cookie are still laying around. By manually add the main cookie back (value = chuncks-2), the login can be bypassed.
Since we do need access token, we would like to set SaveToken = true which may cause the cookie size be over 4k limit.
The text was updated successfully, but these errors were encountered: