OpenIdConnect handler single sign out doesn't delete cookie cleanly if cookie is chunked

[leechen]

This is for the front-end channel implementation of OpenIDConnect single sign out.
With a sample client similar to https://github.com/aspnet-contrib/AspNet.Security.OpenIdConnect.Samples/tree/master/samples/Mvc/Mvc.Client
Make sure to save token and add some claims to make the result cookie to be larger than 4k. Sign out from the token server, the client auth cookie should be deleted completely. But only the main cookie is deleted. The two chunks of the main cookie are still laying around. By manually add the main cookie back (value = chuncks-2), the login can be bypassed.

Since we do need access token, we would like to set SaveToken = true which may cause the cookie size be over 4k limit.

[Tratcher]

Hmm, remote signout isn't any different from a normal signout.

Security/src/Microsoft.AspNetCore.Authentication.OpenIdConnect/OpenIdConnectHandler.cs

Line 148 in 38004ce

await Context.SignOutAsync(Options.SignOutScheme);

I'd be curious to see a Fiddler trace of the signout.

[leechen]

Here is trace using chrome devtool. The response seems to have only cleared the main cookie:

Cache-Control: no-cache
Content-Length: 0
Date: Fri, 08 Jun 2018 16:12:06 GMT
Expires: -1
Pragma: no-cache
Server: Kestrel
Set-Cookie: .AspNetCore.test.user-auth-web-app2.cookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=lax

[Tratcher]

I need to see both the request and response.

[leechen]

Request URL: https://localhost:5007/signout-oidc?sid=49337fbf7a6e0a6014d81db864607e83&iss=https%3A%2F%2Faccounts.mytokenserver.io
Request Method: GET
Status Code: 200 OK
Remote Address: [::1]:5007
Referrer Policy: no-referrer-when-downgrade

Cache-Control: no-cache
Content-Length: 0
Date: Fri, 08 Jun 2018 16:26:57 GMT
Expires: -1
Pragma: no-cache
Server: Kestrel
Set-Cookie: .AspNetCore.test.user-auth-web-app2.cookie=; expires=Thu, 01 Jan 1970 00:00:00 GMT; path=/; samesite=lax

[Tratcher]

There are no cookies in that request. The server can't delete the chunks unless it knows how many there are. Why are there no cookies being sent?

[leechen]

The flow is this:

1. User sign out from app1, app1 delete its cookie.
2. App1 redirect to token server. Token server deletes its cookie.
3. Token server render a logged out page with an iframe to contains both app1 and app2's oidc front channel logout urls.

I am guessing the logged out page is from token server and it doesn't have access to app2's cookie. App2's openId connect handler should handle deleting its cookies (including chunks) when responding to the iframe. But I am only seeing app2's main cookie deleted.

[Tratcher]

What happens if you disable samesite (CookieAuthenticationOptions.Cookie.SameSite = SameSiteMode.None)? That may be related since the signout flow is originating from app1.

[leechen]

Wow, that fixed it! Thanks!
What puzzles me is still, why the main cookie is deleted but not the chunks using default SameSiteMode which is lax?

[Tratcher]

Because it doesn't know if there are chunks. It needs the request cookie to tell it there are chunks.

[leechen]

Ah, I see, here is the cookies tab for the successful request/response:

[leechen]

Any pointer to whether this samesite mode (none) has potential security risk?

[Tratcher]

Yes it does.
https://tools.ietf.org/html/draft-ietf-httpbis-rfc6265bis-02#section-5.3.7.1