Skip to content
This repository has been archived by the owner on Nov 9, 2017. It is now read-only.

wsfedsignout error in cookie path and permanent? #19

Closed
paullem opened this issue Oct 27, 2012 · 7 comments
Closed

wsfedsignout error in cookie path and permanent? #19

paullem opened this issue Oct 27, 2012 · 7 comments
Assignees
@leastprivilege
Labels
bug

Comments

@paullem
Copy link

paullem commented Oct 27, 2012

SignInSessionManager.ClearEndPoints() forgets to set the path to the same value as WriteCookie(…) does. As a consequence it is never cleared. Why does Write Cookie set Expires? Now it is a disk cookie. It should really be a memory/session cookie, isn’t it? Because authn cookies and this one should disappear at the same time. And for disk there is only one, but for memory they are per DOM session, which normally enable two separate logons!
@ghost ghost assigned leastprivilege Oct 27, 2012
@brockallen
Copy link
Member

Thx for the report. Will look into it.

@leastprivilege
Copy link
Member

Good point.

Also - Paul - for signout via HRD - i should rather do a redirect e.g. to the ADFS signin endpoint, right?

@paullem
Copy link
Author

paullem commented Oct 27, 2012

I am not done yet with HRD testing. I will report on that one later.

@leastprivilege
Copy link
Member

thanks!

@paullem
Copy link
Author

paullem commented Oct 27, 2012

The short answer is: YES.

The long answer is that an intermediate issuer (federation sts) should remember the upstream IP that has authenticated the user. When wsignout1.0 arrives a redirect (with wsignout1.0) to the upstream RP is required. Typically a memorie cookie (path is application path) is used to remember this.

But now trouble ....
Officially it is SingleSignOn. So there is only one identity (and therefor only one upstream IP) per DOM session (say IdP-a). But if you allow an authenticated user to also logon have an extra identity (by allowing an extra authentication) by using a whr=IdP-b, then you are in trouble. Because when signout is pressed then this path should be cleared to. It is non-trivial (if possible) to know which identity must be cleared....
And a fork (two identities) cannot be cleared with single signout? ADFS2 - rollup2 - was messing around with this. Lots of people were upset....
The classical way to avoid this is not allow two identities (in a single DOM session). Only allow whr to override realm cookie when the user is not authenticated (yep another memory cookie). But don't be surprised if some people do not like that.

@leastprivilege
Copy link
Member

ClearEndpoint now sets the path.

@leastprivilege
Copy link
Member

(partially) closed. HRD signout problem will be addressed separately.

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Assignees

@leastprivilege leastprivilege

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@brockallen @leastprivilege @paullem