Custom cookie name breaks redis for session

[thekoma]

Expected Behavior

Login succeed

Current Behavior

If you specify a custom cookie name while using redis to manage sessions we are unable to decrypt the cookie:

oauth2-proxy      | [2021/01/07 15:44:47] [stored_session.go:75] Error loading cookied session: failed to decode ticket, removing session
oauth2-proxy      | [2021/01/07 15:44:47] [stored_session.go:78] Error removing session: error decoding ticket to clear session: failed to decode ticket
oauth2-proxy      | [2021/01/07 15:44:47] [oauthproxy.go:506] Error clearing session cookie: error decoding ticket to clear session: failed to decode ticket
oauth2-proxy      | 172.18.0.10 - - [2021/01/07 15:44:47] sonarr.koma.link GET - "/oauth2/sign_in" HTTP/1.1 "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/87.0.4280.107 Safari/537.36" 500 394 0.000
oauth2-proxy      | [2021/01/07 15:44:47] [stored_session.go:75] Error loading cookied session: http: named cookie not present, removing session

Possible Solution

• Ignore the cookie name parameter when session is managed by redis
• Decrypt using the correct cookie name

[JoelSpeed]

This definitely used to work as I've been using it in the past for production instances, could you confirm which version of the proxy you are using?

[thekoma]

@JoelSpeed compiled the master a couple hour before filling the bug

[NickMeves]

Hmmm - this cookie change just merged a few days ago: #970

Regression potentially?

If you built from commits before that PR merged, do you still get this bug?

[NickMeves]

So based on your error message, you have a valid cookie at this point that passed signature validation. But the inner content isn't formatted correctly so decodeTicket fails:

oauth2-proxy/pkg/sessions/persistence/ticket.go

Line 70 in 597ffeb

func decodeTicket(encTicket string, cookieOpts *options.Cookie) (*ticket, error) {

Do you have a sample on what your cookie value looked like?

Ticket sessions have 2 parts in the cookie split by a . - the Ticket ID & the Ticket Secret. The Ticket ID is used as the key in your store to find the encrypted and encoded session object in your data store. The Ticket Secret is the decryption key (makes it so a compromised session store can't steal sessions, it has a per session secret that is stored with the uses in their cookies).

[NickMeves]

oh I wonder... Does your custom name have a . in it?

[NickMeves]

That would then make the encoded ticket value have more than 2 entries after a split on . and give that error message you saw. Since the Ticket ID includes the cookie name as a base (either for debugging help or to really ensure no conflicts in a shared redis DB even though 16 byte random keys shouldn't collide probabilistically -- I don't know the original design intent).

ticketID := fmt.Sprintf("%s-%s", cookieOpts.Name, hex.EncodeToString(rawID))

Would explain your error message from this:

ticketParts := strings.Split(encTicket, ".")
if len(ticketParts) != 2 {
	return nil, errors.New("failed to decode ticket")
}

[thekoma]

yes it has

[NickMeves]

Cool thanks - that's the issue. At the moment I recommend you just use a different character in your custom cookie name to get over this issue.

Long term, I've tagged this as a bug for us to fix the encoding scheme so it is aware of . in the cookie name. This change will need to be aware of legacy & new encoding schemes simultaneously so it isn't a breaking change for existing Redis users.

[thekoma]

Cool! Thank you

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[thekoma]

This is still a bug @NickMeves ?

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[thekoma]

Is this still interesting?

[JoelSpeed]

Yeah we still need to get round to finding a fix for this 🙂

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[thekoma]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

. This issue gas a pr ti dolce the problema that is still there 3y layer.

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[thekoma]

/unstale

[tuunit]

Hi @thekoma,

I've never looked into this issue before. I would like to give this a fresh look. Could you provide the following details:

Your configuration for oauth2-proxy and redis. Which version this occurs on and if you have tested it with the latest version?

[thekoma]

I don't use oauth2proxy at the moment the issue is 3 years old 😅.
I can check for the old config maybe.

[thekoma]

Just checked and the config is lost in time. If it's necessary to proceed I will need time to produce it again.

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.

[thekoma]

/unstale

[github-actions]

This issue has been inactive for 60 days. If the issue is still relevant please comment to re-activate the issue. If no action is taken within 7 days, the issue will be marked closed.