Details
-
Bug
-
Status: Closed
-
Major
-
Resolution: Done
-
None
-
1
-
-
NEW
-
NEW
Description
By setting the domain attribute on the cookie we were allowing the
cookie to be applied to subdomains where it may not be valid and may
interfere with other services protected by keycloak-gatekeeper.
For example, let's say we are running keycloak-gatekeeper on the following URLs:
mydomain.com
sub.mydomain.com
If a user logs in to mydomain.com and then tries to visit sub.mydomain.com the service will fail (infinite redirect loop) as the cookie from the first service will be applied to the second service.
In terms of the cookie, the problem is caused by this piece of code: https://github.com/keycloak/keycloak-gatekeeper/blob/master/cookies.go#L30-L34
If you read section 4.1.2.3 of https://tools.ietf.org/html/rfc6265#section-4.1.2 it implies that if you set the 'Domain' attribute in that fashion it will propagate down to subdomains.
It seems that to prevent this the 'Domain' attribute should simply be omitted.