Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-8112

Login/logout redirects from https to http if behind proxy

    XMLWordPrintable

Details

    • Bug
    • Resolution: Fixed
    • Critical
    • 6.2.10
    • 6.2.9
    • None
    • Yes
    • Maintenance 62, Maintenance 62
    • 5

    Description

      Steps to reproduce

      1. Open https://demo.magnolia-cms.com/
      2. Fill in credentials on login page
      3.  Inspect network in browser

      Expected results

      1. Request is only redirect to original URL I've entered (https://demo.magnolia-cms.com/) after login.

      Actual results

      1. The request is redirected to http, then back to https.
      2. Since Chrome v90, this works only if cross site cookies are allowed.

      Workaround

      <CookieProcessor sameSiteCookies="None" />

      Development notes

      LoginFilter#getRedirectLocation redirects to absolute URL in case of the self redirect (to the browser URL user accessed before login and which was forwarded to login page), which might be http behind proxy although the browser uses https. Changing this to relative (URI) might fix the issue.

      Quickfix applied to demo https://git.magnolia-cms.com/projects/INTERNAL/repos/demo.magnolia-cms.com/pull-requests/52/commits/fee6debafd3d91d0f838989fdc0f0056ceadfe8e#magnolia-demo-setup-module/src/main/java/info/magnolia/demosetup/DemoLoginFilter.java

      Logout suffers from the same issue https://git.magnolia-cms.com/projects/PLATFORM/repos/main/browse/magnolia-core/src/main/java/info/magnolia/cms/security/LogoutFilter.java#98

      Checklists

        Acceptance criteria

        Attachments

          Issue Links

            relates to

            Bug - A problem which impairs or prevents the functions of the product. MGNLSSO-56 Session lost & authentication broken with CookieProcessor sameSiteCookies="Strict"

            • Neutral -
            • Open

            Bug - A problem which impairs or prevents the functions of the product. MGNLSSO-65 CLONE - Session lost & authentication broken with CookieProcessor sameSiteCookies="Strict"

            • Blocker - Blocks development and/or testing work, production could not run.
            • Closed
            mentioned in

            Page Loading...

            Activity

              People

                fgrilli Federico Grilli
                rkovarik Roman Kovařík
                Votes:
                0 Vote for this issue
                Watchers:
                7 Start watching this issue

                Dates

                  Created:
                  Updated:
                  Resolved:

                  Checklists

                    Bug DoR
                    Task DoD