-
Type:
Bug
-
Status: Resolved
-
Priority:
Major
-
Resolution: Fixed
-
Affects Version/s: 12.0.0
-
Component/s: authentication
-
Labels:
The persistent cookie module fails when the domain is deleted via the console and host cookies are used.
Steps to reproduce:
- Create a subrealm "stay_logged_in"
- In that realm, under Authentication, add new Persistent Cookie Module, "pers_cookie"
- Add a new Authentication Chain, "pers_cookie_datastore", and set the "pers_cookie" module as Sufficient and the DataStore as Required.
- On the console, under Configuration > System > Platform > delete all cookie domains
- Restart OpenAM server
- Attempt to login using the "stay_logged_in" realm with the persistent cookie chain, e.g. http://openam.example.com:8080/openam/UI/Login?realm=stay_logged_in
The response will have an invalid set cookie header for the session-jwt; see the Domain.
The other cookies are correct.
Set-Cookie: session-jwt=eyAidHlwIjogIkpXVCIsICJhbHciOiAi...fUEtDUzFfPTx11gVUUDcwiM.nZlIwM0_LnhduyVAkxOpoQ; Domain=""; Expires=Fri, 24-Apr-2015 15:33:29 GMT; Path=/ iPlanetDirectoryPro=AQIC5wM2LY4Sfcw4XTUo7GUML6KazJxFXZmOY3GDuN0t2Z4.*AAJTSQACMDEAAlNLABM4MzUzODE2NzEzODE1NTM1OTQ5*; Path=/ AMAuthCookie=LOGOUT; Expires=Thu, 01-Jan-1970 00:00:10 GMT; Path=/
When you make a call to /json/serverinfo/* you will see
:{"domains":[]....
Potential workaround:
Add a domain again and use ssoadm to delete the cookie domains; then the value of the cookie domains is stored differently in the config store and the persistent cookie works.
When you make a call to /json/serverinfo/* you will see
:{"domains":[""]....
This workaround does not work when the user returns after a while with the valid session-jwt and is automatically logged in again. OpenAM sets the session-jwt cookie again, but as a domain cookie with an empty domain:
Domain="";
So the session prolongation will fail because the browser does not accept the renewed session-jwt (domain cookie instead of host cookie, invalid domain).
- relates to
-
-
- Resolved
-
