Uploaded image for project: 'Red Hat Developer Hub Bugs'
  1. Red Hat Developer Hub Bugs
  2. RHDHBUGS-945

Domain set for auth cookie can cause authentication issues for sub-domains

XMLWordPrintable

    • 2
    • False
    • Hide

      None

      Show
      None
    • False
    • Hide
      = OAuth authentication cookies are configured as host-only

      Before this update, when {product-short} was deployed on different subdomains (for example, `example.foo.com` and `staging.example.foo.com`), the application set cookies for both the parent domain and the subdomain. As a consequence, refreshing the browser on a subdomain caused the session re-establishment to use the parent domain cookie, which caused the refresh API request to fail.

      With this update, OAuth authentication cookies are configured as host-only. As a result, cookies are not shared across subdomains, and users can switch between {product-very-short} instances hosted on different subdomains without manually clearing their browser cookies.
      Show
      = OAuth authentication cookies are configured as host-only Before this update, when {product-short} was deployed on different subdomains (for example, `example.foo.com` and `staging.example.foo.com`), the application set cookies for both the parent domain and the subdomain. As a consequence, refreshing the browser on a subdomain caused the session re-establishment to use the parent domain cookie, which caused the refresh API request to fail. With this update, OAuth authentication cookies are configured as host-only. As a result, cookies are not shared across subdomains, and users can switch between {product-very-short} instances hosted on different subdomains without manually clearing their browser cookies.
    • Bug Fix
    • Done
    • RHDH Security 3273, RHDH Security 3274, RHDH Security 3275, RHDH Security 3276, RHDH Security 3278, RHDH Security 3279

      When deploying RHDH to multiple environments such as production/staging/development, if a user opts to put these environments on different sub-domains of the same domain, authentication issues can start to occur for users that interact with RHDH instances running at these different domains.

      For example, given a setup like:

      example.foo.com
      staging.example.foo.com
      dev.example.foo.com

      When a user authenticates against an RHDH instance running at "example.foo.com" the user will get a new cookie associated with the auth backend module associated with the domain that the app is running at. If that user then access another RHDH instance running at one of these sub-domains, the user will get an additional cookie with the same ID but associated with the sub-domain.

      At this point if the user refreshes the browser the cookie that is used to re-establish the session will be the "example.foo.com" cookie and the refresh API request will work if the user is currently connected to the example.foo.com domain; however the refresh API request will fail if the user is connected to the staging.example.foo.com domain.

              rh-ee-jhe Jessica He
              stlewis_2 Stan Lewis
              RHDH Security
              Votes:
              0 Vote for this issue
              Watchers:
              4 Start watching this issue

                Created:
                Updated:
                Resolved: