Uploaded image for project: 'Magnolia'
  1. Magnolia
  2. MAGNOLIA-8112

Login/logout redirects from https to http if behind proxy

XMLWordPrintable

    • Icon: Bug Bug
    • Resolution: Fixed
    • Icon: Critical Critical
    • 6.2.10
    • 6.2.9
    • None
    • Yes
    • Maintenance 62, Maintenance 62
    • 5

      Steps to reproduce

      1. Open https://demo.magnolia-cms.com/
      2. Fill in credentials on login page
      3.  Inspect network in browser

      Expected results

      1. Request is only redirect to original URL I've entered (https://demo.magnolia-cms.com/) after login.

      Actual results

      1. The request is redirected to http, then back to https.
      2. Since Chrome v90, this works only if cross site cookies are allowed.

      Workaround

      <CookieProcessor sameSiteCookies="None" />

      Development notes

      LoginFilter#getRedirectLocation redirects to absolute URL in case of the self redirect (to the browser URL user accessed before login and which was forwarded to login page), which might be http behind proxy although the browser uses https. Changing this to relative (URI) might fix the issue.

      Quickfix applied to demo https://git.magnolia-cms.com/projects/INTERNAL/repos/demo.magnolia-cms.com/pull-requests/52/commits/fee6debafd3d91d0f838989fdc0f0056ceadfe8e#magnolia-demo-setup-module/src/main/java/info/magnolia/demosetup/DemoLoginFilter.java

      Logout suffers from the same issue https://git.magnolia-cms.com/projects/PLATFORM/repos/main/browse/magnolia-core/src/main/java/info/magnolia/cms/security/LogoutFilter.java#98

        Acceptance criteria

              fgrilli Federico Grilli
              rkovarik Roman Kovařík
              Votes:
              0 Vote for this issue
              Watchers:
              7 Start watching this issue

                Created:
                Updated:
                Resolved: