Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-5902

Persistent cookie fails on host cookies when domain deleted via console

    Details

    • Sprint:
      Sprint 81 - Sustaining, Sprint 82 - Sustaining
    • Support Ticket IDs:

      Description

      The persistent cookie module fails when the domain is deleted via the console and host cookies are used.

      Steps to reproduce:

      1. Create a subrealm "stay_logged_in"
      2. In that realm, under Authentication, add new Persistent Cookie Module, "pers_cookie"
      3. Add a new Authentication Chain, "pers_cookie_datastore", and set the "pers_cookie" module as Sufficient and the DataStore as Required.
      4. On the console, under Configuration > System > Platform > delete all cookie domains
      5. Restart OpenAM server
      6. Attempt to login using the "stay_logged_in" realm with the persistent cookie chain, e.g. http://openam.example.com:8080/openam/UI/Login?realm=stay_logged_in

      The response will have an invalid set cookie header for the session-jwt; see the Domain.
      The other cookies are correct.

      Set-Cookie: session-jwt=eyAidHlwIjogIkpXVCIsICJhbHciOiAi...fUEtDUzFfPTx11gVUUDcwiM.nZlIwM0_LnhduyVAkxOpoQ; Domain=""; Expires=Fri, 24-Apr-2015 15:33:29 GMT; Path=/ 
      iPlanetDirectoryPro=AQIC5wM2LY4Sfcw4XTUo7GUML6KazJxFXZmOY3GDuN0t2Z4.*AAJTSQACMDEAAlNLABM4MzUzODE2NzEzODE1NTM1OTQ5*; Path=/ 
      AMAuthCookie=LOGOUT; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
      

      When you make a call to /json/serverinfo/* you will see

      :{"domains":[]....

      Potential workaround:
      Add a domain again and use ssoadm to delete the cookie domains; then the value of the cookie domains is stored differently in the config store and the persistent cookie works.

      When you make a call to /json/serverinfo/* you will see

      :{"domains":[""]....

      This workaround does not work when the user returns after a while with the valid session-jwt and is automatically logged in again. OpenAM sets the session-jwt cookie again, but as a domain cookie with an empty domain:

      Domain="";

      So the session prolongation will fail because the browser does not accept the renewed session-jwt (domain cookie instead of host cookie, invalid domain).

        Attachments

          Issue Links

            Activity

              People

              • Assignee:
                peter.major Peter Major [X] (Inactive)
                Reporter:
                mark.powell Mark Powell
              • Votes:
                1 Vote for this issue
                Watchers:
                3 Start watching this issue

                Dates

                • Created:
                  Updated:
                  Resolved:

                  Time Tracking

                  Estimated:
                  Original Estimate - 0h
                  0h
                  Remaining:
                  Remaining Estimate - 0h
                  0h
                  Logged:
                  Time Spent - 2h
                  2h