Uploaded image for project: 'OpenAM Agents'
  1. OpenAM Agents
  2. AMAGENTS-68

invalid cookie causes 403 instead of redirect to login page

    Details

      Description

      If the Agent receives a cookie which is invalid, it should redirect the requester to a login page. It should not show 403.
      This is happens even on not enforced URLs.

      Steps to reproduce:

      1. Request protected resource

      curl -v --cookie 'iPlanetDirectoryPro=AQIC5wM2LY4SfczmAd2fBNPtwX938Wv2mM0ZY5c4L-e3kgM.*AAJTSQACMDEAAlNLABMzNzQ4OTU4NDg2NjY0OTUyNTIz*' http://1202.example.com/sec/sso.html
      *   Trying 192.168.56.125...
      * Connected to 1202.example.com (192.168.56.125) port 80 (#0)
      > GET /sec/sso.html HTTP/1.1
      > Host: 1202.example.com
      > User-Agent: curl/7.43.0
      > Accept: */*
      > Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfczmAd2fBNPtwX938Wv2mM0ZY5c4L-e3kgM.*AAJTSQACMDEAAlNLABMzNzQ4OTU4NDg2NjY0OTUyNTIz*
      >
      < HTTP/1.1 200 OK
      

      2. Remove some characters from the cookie to make it invalid.

      3. Test Again using the modified cookie.

      curl -v --cookie 'iPlanetDirectoryPro=AQIC5wM2LY4SfczmAd2fBNPtwX938Wv2mM0ZY5c4L-e3kgM.*AAJTSQACMDEAAlN' http://1202.example.com/sec/sso.html
      *   Trying 192.168.56.125...
      * Connected to 1202.example.com (192.168.56.125) port 80 (#0)
      > GET /sec/sso.html HTTP/1.1
      > Host: 1202.example.com
      > User-Agent: curl/7.43.0
      > Accept: */*
      > Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfczmAd2fBNPtwX938Wv2mM0ZY5c4L-e3kgM.*AAJTSQACMDEAAlN
      >
      < HTTP/1.1 403 Forbidden
      < Date: Fri, 22 Apr 2016 12:58:58 GMT
      < Server: Apache/2.4.6 (CentOS) OpenAM Web Agent/4.0.0
      < Content-Length: 214
      < Content-Type: text/html; charset=iso-8859-1
      <
      <!DOCTYPE HTML PUBLIC "-//IETF//DTD HTML 2.0//EN">
      <html><head>
      <title>403 Forbidden</title>
      </head><body>
      

      Expected results:
      A redirect to the login page, similar to:

      curl -v --cookie iPlanetDirectoryPro= http://1202.example.com/sec/sso.html
      *   Trying 192.168.56.125...
      * Connected to 1202.example.com (192.168.56.125) port 80 (#0)
      > GET /sec/sso.html HTTP/1.1
      > Host: 1202.example.com
      > User-Agent: curl/7.43.0
      > Accept: */*
      > Cookie: iPlanetDirectoryPro=
      >
      < HTTP/1.1 302 Found
      < Date: Fri, 22 Apr 2016 13:01:03 GMT
      < Server: Apache/2.4.6 (CentOS) OpenAM Web Agent/4.0.0
      < Location: http://1202.example.com:8080/openam/UI/Login?goto=http%3A%2F%2F1202.example.com%3A80%2Fsec%2Fsso.html
      < Content-Length: 285
      < Content-Type: text/html; charset=iso-8859-1
      

      Actual result:
      403 page

        Attachments

        1. cookiejar
          0.4 kB
        2. cookiejar_sm
          1 kB
        3. cookijar
          0.4 kB

          Issue Links

            Activity

              People

              • Assignee:
                chris.lee Chris Lee
                Reporter:
                andrew.dunn Andrew Dunn [X] (Inactive)
                QA Assignee:
                edwardb
              • Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved: