[AMAGENTS-68] invalid cookie causes 403 instead of redirect to login page - ForgeRock JIRA

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Fixed
Affects Version/s: 4.0.0, 4.0.1
Fix Version/s: 5.0.0.0, 4.1.0
Component/s: Doc, Web Agents
Labels:
Environment:
Apache/2.4.6 (CentOS) OpenAM Web Agent/4.0.1-1
CentOS Linux release 7.2.1511 (Core) 64-bit
OpenAM 12.0.2

Sprint:
Sprint 115 Team Shakespeare
Cases:
- 12204
Support Ticket IDs:
Epic Link:
Docs: Agents 4.1.0 Release

Description

If the Agent receives a cookie which is invalid, it should redirect the requester to a login page. It should not show 403.
This is happens even on not enforced URLs.

Steps to reproduce:

1. Request protected resource

curl -v --cookie 'iPlanetDirectoryPro=AQIC5wM2LY4SfczmAd2fBNPtwX938Wv2mM0ZY5c4L-e3kgM.*AAJTSQACMDEAAlNLABMzNzQ4OTU4NDg2NjY0OTUyNTIz*' http://1202.example.com/sec/sso.html
*   Trying 192.168.56.125...
* Connected to 1202.example.com (192.168.56.125) port 80 (#0)
> GET /sec/sso.html HTTP/1.1
> Host: 1202.example.com
> User-Agent: curl/7.43.0
> Accept: */*
> Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfczmAd2fBNPtwX938Wv2mM0ZY5c4L-e3kgM.*AAJTSQACMDEAAlNLABMzNzQ4OTU4NDg2NjY0OTUyNTIz*
>
< HTTP/1.1 200 OK

2. Remove some characters from the cookie to make it invalid.

3. Test Again using the modified cookie.

curl -v --cookie 'iPlanetDirectoryPro=AQIC5wM2LY4SfczmAd2fBNPtwX938Wv2mM0ZY5c4L-e3kgM.*AAJTSQACMDEAAlN' http://1202.example.com/sec/sso.html
*   Trying 192.168.56.125...
* Connected to 1202.example.com (192.168.56.125) port 80 (#0)
> GET /sec/sso.html HTTP/1.1
> Host: 1202.example.com
> User-Agent: curl/7.43.0
> Accept: */*
> Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfczmAd2fBNPtwX938Wv2mM0ZY5c4L-e3kgM.*AAJTSQACMDEAAlN
>
< HTTP/1.1 403 Forbidden
< Date: Fri, 22 Apr 2016 12:58:58 GMT
< Server: Apache/2.4.6 (CentOS) OpenAM Web Agent/4.0.0
< Content-Length: 214
< Content-Type: text/html; charset=iso-8859-1
<
<!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
<html><head>
<title>403 Forbidden</title>
</head><body>

Expected results:
A redirect to the login page, similar to:

curl -v --cookie iPlanetDirectoryPro= http://1202.example.com/sec/sso.html
*   Trying 192.168.56.125...
* Connected to 1202.example.com (192.168.56.125) port 80 (#0)
> GET /sec/sso.html HTTP/1.1
> Host: 1202.example.com
> User-Agent: curl/7.43.0
> Accept: */*
> Cookie: iPlanetDirectoryPro=
>
< HTTP/1.1 302 Found
< Date: Fri, 22 Apr 2016 13:01:03 GMT
< Server: Apache/2.4.6 (CentOS) OpenAM Web Agent/4.0.0
< Location: http://1202.example.com:8080/openam/UI/Login?goto=http%3A%2F%2F1202.example.com%3A80%2Fsec%2Fsso.html
< Content-Length: 285
< Content-Type: text/html; charset=iso-8859-1

Actual result:
403 page

Attachments

Options
- Sort By Name
- Sort By Date
- Ascending
- Descending
- Thumbnails
- List
- Download All

Attachments

cookiejar
0.4 kB
04/Oct/16 12:28 PM
cookiejar_sm
1 kB
04/Oct/16 12:28 PM
cookijar
0.4 kB
04/Oct/16 12:28 PM

Issue Links

is related to

AMAGENTS-95 Improve Agent error handling of AM responses after OPENAM-8910

Closed

relates to

OPENAM-8910 NPE if a null siteID is passed to Session.validateSessionID

Resolved

mentioned in: Page Loading...

Activity

People

Assignee:

Chris Lee

Reporter:

Andrew Dunn [X] (Inactive)

QA Assignee:

edwardb

Votes:

0 Vote for this issue

Watchers:

7 Start watching this issue

Dates

Created:

22/Apr/16 2:04 PM

Updated:

13/Apr/17 10:50 AM

Resolved:

07/Nov/16 11:02 AM