[KEYCLOAK-10668] keycloak-gatekeeper - Cookies being applied to subdomains - Red Hat Issue Tracker

XML

Word

Printable

Details

Type: Bug
Status: Closed
Priority: Major
Resolution: Done
Affects Version/s: None
Fix Version/s: 8.0.0
Component/s: Gatekeeper
Labels:
- release-notes

Story Points:
1
Steps to Reproduce:

Hide

1. Set-up keycloak-gatekeeper on a domain and one of its subdomains.
2. Log-in to the domain.
3. Attempt to visit the subdomain.

Show
1. Set-up keycloak-gatekeeper on a domain and one of its subdomains. 2. Log-in to the domain. 3. Attempt to visit the subdomain.
Docs QE Status:
NEW
QE Status:
NEW

Description

By setting the domain attribute on the cookie we were allowing the
cookie to be applied to subdomains where it may not be valid and may
interfere with other services protected by keycloak-gatekeeper.

For example, let's say we are running keycloak-gatekeeper on the following URLs:

mydomain.com
sub.mydomain.com

If a user logs in to mydomain.com and then tries to visit sub.mydomain.com the service will fail (infinite redirect loop) as the cookie from the first service will be applied to the second service.

In terms of the cookie, the problem is caused by this piece of code: https://github.com/keycloak/keycloak-gatekeeper/blob/master/cookies.go#L30-L34

If you read section 4.1.2.3 of https://tools.ietf.org/html/rfc6265#section-4.1.2 it implies that if you set the 'Domain' attribute in that fashion it will propagate down to subdomains.

It seems that to prevent this the 'Domain' attribute should simply be omitted.

Attachments

Activity

People

Assignee:: (inactive user) Bruno Oliveira Silva (Inactive)

Reporter:: Daniel Martin (Inactive)

Votes:: 0 Vote for this issue

Watchers:: 5 Start watching this issue

Dates

Created:: 2019/06/17 12:34 PM

Updated:: 2021/10/24 6:40 AM

Resolved:: 2019/09/26 9:49 AM