Uploaded image for project: 'OpenAM'
  1. OpenAM
  2. OPENAM-8366

WPA4: Session is not terminated after agent logout in CD SSO when only cdsso iPDP cookie is presented in a browser

    XMLWordPrintable

    Details

    • Rank:
      1|hzr01b:

      Description

      Session is not terminated after agent logout in CD SSO when only cdsso iPDP cookie is presented in a browser.

      Steps to reproduce

      1.) Install agent for cdsso
      2.) Configure CD SSO: <AGENT PROFILE> / SSO /

      • Cross Domain SSO = true
      • Cookies Domain List = .profiq.com

      3.) Configure agent logout: <AGENT PROFILE> / OpenAM Services

      4.) Hit the protected page by agent and login as demo user
      http://agent.profiq.com/cgi-bin/show.cgi
      5.) After log-in are created 2 iPlanetDirectoryPro cookies, in the main domain (.forgerock.com) and in the cdsso domain (.profiq.com). Delete iPDP cookie from main domain (.forgerock.com) (after deleting cookie you are still able to browse protected pages)
      6.) Hit the agent logout page ( http://agent.profiq.com/logout.html )

      Observed result

      Redirected to /index.page, iPDP cookie was not deleted and demo session is not terminated, it is possible to browse protected pages

      Expected result

      Redirected to /index.page, iPDP cookie for cdsso domain is deleted and demo session from openam is terminated

      agent debug log
      2016-02-16 08:44:49.711 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:130] setup_request_data():
      2016-02-16 08:44:49.712 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:152] setup_request_data(): client ip: 172.25.1.18
      2016-02-16 08:44:49.712 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:190] setup_request_data(): client hostname: (empty)
      2016-02-16 08:44:49.712 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:198] setup_request_data(): original request url: http://agent.profiq.com/logout.html
      2016-02-16 08:44:49.712 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:310] setup_request_data(): no token in query parameters
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:320] setup_request_data(): 
      method: GET 
      original url: http://agent.profiq.com/logout.html
      proto: http
      host: agent.profiq.com
      port: 80
      path: /logout.html
      query: 
      complete: http://agent.profiq.com:80/logout.html
      overridden: http://agent.profiq.com:80/logout.html
      pathinfo: (empty)
      normalized (pathinfo removed): (empty)
      overridden (pathinfo removed): (empty)
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:335] validate_url():
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:347] validate_url(): request url validation feature is not enabled
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:355] handle_notification():
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:411] validate_fqdn_access():
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:431] validate_fqdn_access(): host name agent.profiq.com is valid (maps to fqdn default: agent.profiq.com)
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:741] validate_token():
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/utility.c:957] get_cookie_value(;): parsing cookie header: iPlanetDirectoryPro=AQIC5wM2LY4SfcygL4Ewde7Ouo52jBZJK2y_-V6nqQZi8HQ.*AAJTSQACMDEAAlNLABQtODI3NDk3NDQ2ODkzMjY2NzE1OQACUzEAAA..*
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/utility.c:957] get_cookie_value(=): parsing cookie header: iPlanetDirectoryPro=AQIC5wM2LY4SfcygL4Ewde7Ouo52jBZJK2y_-V6nqQZi8HQ.*AAJTSQACMDEAAlNLABQtODI3NDk3NDQ2ODkzMjY2NzE1OQACUzEAAA..*
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:833] validate_token(): sso token: AQIC5wM2LY4SfcygL4Ewde7Ouo52jBZJK2y_-V6nqQZi8HQ.*AAJTSQACMDEAAlNLABQtODI3NDk3NDQ2ODkzMjY2NzE1OQACUzEAAA..*, status: success
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:840] validate_token(): sso token SI: 01, S1: 
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:492] handle_not_enforced():
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:554] handle_not_enforced(): http://agent.profiq.com:80/logout.html is an application logout url (not enforced)
      2016-02-16 08:44:49.713 +0000   DEBUG [0x7f614dbf5700:7786][source/process.c:1779] handle_exit(): (entry status: success)
      
      nginx debug log
      2016/02/16 08:44:49 [debug] 7786#7786: epoll: fd:3 ev:0005 d:00007F61694EB470
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http keepalive handler
      2016/02/16 08:44:49 [debug] 7786#7786: *84 malloc: 0000000000E05090:1024
      2016/02/16 08:44:49 [debug] 7786#7786: *84 recv: fd:3 605 of 1024
      2016/02/16 08:44:49 [debug] 7786#7786: *84 reusable connection: 0
      2016/02/16 08:44:49 [debug] 7786#7786: *84 posix_memalign: 0000000000E054A0:4096 @16
      2016/02/16 08:44:49 [debug] 7786#7786: *84 event timer del: 3: 1455612308622
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http process request line
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http request line: "GET /logout.html HTTP/1.1"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http uri: "/logout.html"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http args: ""
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http exten: "html"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http process request header line
      2016/02/16 08:44:49 [debug] 7786#7786: *84 posix_memalign: 0000000000E064B0:4096 @16
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http header: "Host: agent.profiq.com"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http header: "Connection: keep-alive"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http header: "Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http header: "Upgrade-Insecure-Requests: 1"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http header: "User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/48.0.2564.82 Chrome/48.0.2564.82 Safari/537.36"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http header: "Referer: http://agent.profiq.com/cgi-bin/show.cgi"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http header: "Accept-Encoding: gzip, deflate, sdch"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http header: "Accept-Language: en-US,en;q=0.8,cs;q=0.6"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http header: "Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcygL4Ewde7Ouo52jBZJK2y_-V6nqQZi8HQ.*AAJTSQACMDEAAlNLABQtODI3NDk3NDQ2ODkzMjY2NzE1OQACUzEAAA..*"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http header done
      2016/02/16 08:44:49 [debug] 7786#7786: *84 rewrite phase: 0
      2016/02/16 08:44:49 [debug] 7786#7786: *84 test location: "/"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 test location: "cgi-bin/"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 test location: "favicon.ico"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 using configuration "/"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http cl:-1 max:1048576
      2016/02/16 08:44:49 [debug] 7786#7786: *84 rewrite phase: 2
      2016/02/16 08:44:49 [debug] 7786#7786: *84 post rewrite phase: 3
      2016/02/16 08:44:49 [debug] 7786#7786: *84 generic phase: 4
      2016/02/16 08:44:49 [debug] 7786#7786: *84 generic phase: 5
      2016/02/16 08:44:49 [debug] 7786#7786: *84 access phase: 6
      2016/02/16 08:44:49 [debug] 7786#7786: *84 pthread_mutex_init(0000000000E06548)
      2016/02/16 08:44:49 [debug] 7786#7786: *84 pthread_cond_init(0000000000E06570)
      2016/02/16 08:44:49 [debug] 7786#7786: pthread_mutex_lock(0000000000DB88B0) enter
      2016/02/16 08:44:49 [debug] 7786#7786: pthread_cond_signal(0000000000DB88F0)
      2016/02/16 08:44:49 [debug] 7786#7786: pthread_mutex_unlock(0000000000DB88B0) exit
      2016/02/16 08:44:49 [debug] 7786#7786: task #57 added to thread pool "agent-pool"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 agent handler: task posted in pool "agent-pool"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http run request: "/logout.html?"
      2016/02/16 08:44:49 [debug] 7786#7786: *84 access phase: 6
      2016/02/16 08:44:49 [error] 7786#7786: *84 agent handler: continuing after unexpected event, client: 172.25.1.18, server: localhost, request: "GET /logout.html HTTP/1.1", host: "agent.profiq.com", referrer: "http://agent.profiq.com/cgi-bin/show.cgi"
      2016/02/16 08:44:49 [debug] 7786#7786: timer delta: 46089
      2016/02/16 08:44:49 [debug] 7786#7786: worker cycle
      2016/02/16 08:44:49 [debug] 7786#7786: epoll timer: -1
      2016/02/16 08:44:49 [debug] 7786#7803: pthread_cond_wait(0000000000DB88F0) exit
      2016/02/16 08:44:49 [debug] 7786#7803: pthread_mutex_unlock(0000000000DB88B0) exit
      2016/02/16 08:44:49 [debug] 7786#7803: run task #57 in thread pool "agent-pool"
      2016/02/16 08:44:49 [debug] 7786#7803: *84 malloc: 00007F61300012F0:8832
      2016/02/16 08:44:49 [debug] 7786#7803: *84 http set discard body
      2016/02/16 08:44:49 [debug] 7786#7803: complete task #57 in thread pool "agent-pool"
      2016/02/16 08:44:49 [debug] 7786#7803: pthread_mutex_lock(0000000000DB88B0) enter
      2016/02/16 08:44:49 [debug] 7786#7803: pthread_cond_wait(0000000000DB88F0) enter
      2016/02/16 08:44:49 [debug] 7786#7786: epoll: fd:15 ev:0001 d:0000000000954D60
      2016/02/16 08:44:49 [debug] 7786#7786: thread pool handler
      2016/02/16 08:44:49 [debug] 7786#7786: run completion handler for task #57
      2016/02/16 08:44:49 [debug] 7786#7786: *84 pthread_cond_destroy(0000000000E06570)
      2016/02/16 08:44:49 [debug] 7786#7786: *84 pthread_mutex_destroy(0000000000E06548)
      2016/02/16 08:44:49 [debug] 7786#7786: *84 agent thread complete callback terminating request ------
      2016/02/16 08:44:49 [debug] 7786#7786: *84 HTTP/1.1 302 Moved Temporarily
      Server: nginx/1.9.10
      Date: Tue, 16 Feb 2016 08:44:49 GMT
      Content-Length: 0
      Connection: close
      Location: http://riso-ubuntu14.test.forgerock.com:8080/openam/UI/Logout?goto=http%3A%2F%2Fagent.profiq.com%3A80%2Findex.html
      
      2016/02/16 08:44:49 [debug] 7786#7786: *84 write new buf t:1 f:0 0000000000E06870, pos 0000000000E06870, size: 257 file: 0, size: 0
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http write filter: l:1 f:0 s:257
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http write filter limit 0
      2016/02/16 08:44:49 [debug] 7786#7786: *84 writev: 257 of 257
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http write filter 0000000000000000
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http finalize request: 0, "/logout.html?" a:1, c:1
      2016/02/16 08:44:49 [debug] 7786#7786: *84 event timer add: 3: 5000:1455612294713
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http lingering close handler
      2016/02/16 08:44:49 [debug] 7786#7786: *84 recv: fd:3 -1 of 4096
      2016/02/16 08:44:49 [debug] 7786#7786: *84 recv() not ready (11: Resource temporarily unavailable)
      2016/02/16 08:44:49 [debug] 7786#7786: *84 lingering read: -2
      2016/02/16 08:44:49 [debug] 7786#7786: *84 event timer: 3, old: 1455612294713, new: 1455612294713
      2016/02/16 08:44:49 [debug] 7786#7786: timer delta: 2
      2016/02/16 08:44:49 [debug] 7786#7786: worker cycle
      2016/02/16 08:44:49 [debug] 7786#7786: epoll timer: 5000
      2016/02/16 08:44:49 [debug] 7786#7786: epoll: fd:3 ev:2011 d:00007F61694EB470
      2016/02/16 08:44:49 [debug] 7786#7786: epoll_wait() error on fd:3 ev:2011
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http lingering close handler
      2016/02/16 08:44:49 [debug] 7786#7786: *84 recv: fd:3 0 of 4096
      2016/02/16 08:44:49 [debug] 7786#7786: *84 lingering read: 0
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http request count:1 blk:0
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http close request
      2016/02/16 08:44:49 [debug] 7786#7786: *84 http log handler
      2016/02/16 08:44:49 [debug] 7786#7786: *84 free: 00007F61300012F0
      2016/02/16 08:44:49 [debug] 7786#7786: *84 free: 0000000000E054A0, unused: 0
      2016/02/16 08:44:49 [debug] 7786#7786: *84 free: 0000000000E064B0, unused: 2546
      2016/02/16 08:44:49 [debug] 7786#7786: *84 close http connection: 3
      2016/02/16 08:44:49 [debug] 7786#7786: *84 event timer del: 3: 1455612294713
      2016/02/16 08:44:49 [debug] 7786#7786: *84 reusable connection: 0
      2016/02/16 08:44:49 [debug] 7786#7786: *84 free: 0000000000E05090
      2016/02/16 08:44:49 [debug] 7786#7786: *84 free: 0000000000E04E80, unused: 112
      2016/02/16 08:44:49 [debug] 7786#7786: timer delta: 57
      2016/02/16 08:44:49 [debug] 7786#7786: worker cycle
      2016/02/16 08:44:49 [debug] 7786#7786: epoll timer: -1
      
      httpLive
      GET /logout.html HTTP/1.1
      Host: agent.profiq.com
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
      Accept-Encoding: gzip, deflate, sdch
      Accept-Language: en-US,en;q=0.8,cs;q=0.6
      Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcygL4Ewde7Ouo52jBZJK2y_-V6nqQZi8HQ.*AAJTSQACMDEAAlNLABQtODI3NDk3NDQ2ODkzMjY2NzE1OQACUzEAAA..*
      Referer: http://agent.profiq.com/cgi-bin/show.cgi
      Upgrade-Insecure-Requests: 1
      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/48.0.2564.82 Chrome/48.0.2564.82 Safari/537.36
      X-DevTools-Emulate-Network-Conditions-Client-Id: 9C3B3A44-728F-4BF7-9627-097D2533D3AD
      
      HTTP/1.1 302 Moved Temporarily
      Connection: close
      Content-Length: 0
      Date: Tue, 16 Feb 2016 08:44:49 GMT
      Location: http://riso-ubuntu14.test.forgerock.com:8080/openam/UI/Logout?goto=http%3A%2F%2Fagent.profiq.com%3A80%2Findex.html
      Server: nginx/1.9.10
      
      GET /openam/UI/Logout?goto=http%3A%2F%2Fagent.profiq.com%3A80%2Findex.html HTTP/1.1
      Host: riso-ubuntu14.test.forgerock.com:8080
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
      Accept-Encoding: gzip, deflate, sdch
      Accept-Language: en-US,en;q=0.8,cs;q=0.6
      Cookie: JSESSIONID=wCqX2YYnLxezkw11wBH65Ei__SIa7iFjhnAhHt4Z.riso-ubuntu14; i18next=en-US; amlbcookie=01
      Referer: http://agent.profiq.com/cgi-bin/show.cgi
      Upgrade-Insecure-Requests: 1
      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/48.0.2564.82 Chrome/48.0.2564.82 Safari/537.36
      X-DevTools-Emulate-Network-Conditions-Client-Id: 9C3B3A44-728F-4BF7-9627-097D2533D3AD
      
      HTTP/1.1 302 Found
      Cache-Control: private
      Connection: keep-alive
      Content-Length: 0
      Date: Tue, 16 Feb 2016 08:44:42 GMT
      Expires: 0
      Location: http://agent.profiq.com:80/index.html
      Pragma: no-cache
      Server: WildFly/9
      Set-Cookie: iPlanetDirectoryPro=null; path=/; domain=.forgerock.com; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT
      Set-Cookie: amlbcookie=LOGOUT; path=/; domain=.forgerock.com; Max-Age=0; Expires=Thu, 01-Jan-1970 00:00:00 GMT
      X-Powered-By: Undertow/1
      
      GET /index.html HTTP/1.1
      Host: agent.profiq.com
      Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
      Accept-Encoding: gzip, deflate, sdch
      Accept-Language: en-US,en;q=0.8,cs;q=0.6
      Cookie: iPlanetDirectoryPro=AQIC5wM2LY4SfcygL4Ewde7Ouo52jBZJK2y_-V6nqQZi8HQ.*AAJTSQACMDEAAlNLABQtODI3NDk3NDQ2ODkzMjY2NzE1OQACUzEAAA..*
      Referer: http://agent.profiq.com/cgi-bin/show.cgi
      Upgrade-Insecure-Requests: 1
      User-Agent: Mozilla/5.0 (X11; Linux x86_64) AppleWebKit/537.36 (KHTML, like Gecko) Ubuntu Chromium/48.0.2564.82 Chrome/48.0.2564.82 Safari/537.36
      X-DevTools-Emulate-Network-Conditions-Client-Id: 9C3B3A44-728F-4BF7-9627-097D2533D3AD
      
      HTTP/1.1 200 OK
      Accept-Ranges: bytes
      Content-Length: 2827
      Content-Type: text/html
      Date: Tue, 16 Feb 2016 08:39:49 GMT
      ETag: "55b8b77e-b0b"
      Last-Modified: Wed, 29 Jul 2015 11:22:38 GMT
      Server: nginx/1.9.10
      

      I reproduced it also on the apache agent

      OpenAM Web Agent for Apache Server 2.2.x
       Version: 4.0.0
       Revision: 16177
       Build machine: delacroix
       Build date: Oct 27 2015 13:48:39
      

        Attachments

          Activity

            People

            mareks Mareks Malnacs
            richard.hruza Richard Hruza
              edwardb edwardb
            Votes:
            0 Vote for this issue
            Watchers:
            7 Start watching this issue

              Dates

              Created:
              Updated:
              Resolved: