[MAGNOLIA-8112] Login/logout redirects from https to http if behind proxy Created: 03/Jun/21  Updated: 04/Jul/21  Resolved: 18/Jun/21

Status: Closed
Project: Magnolia
Component/s: None
Affects Version/s: 6.2.9
Fix Version/s: 6.2.10

Type: Bug Priority: Critical
Reporter: Roman Kovařík Assignee: Federico Grilli
Resolution: Fixed Votes: 0
Labels: maintenance
Remaining Estimate: Not Specified
Time Spent: Not Specified
Original Estimate: Not Specified

Issue Links:
Relates
relates to MGNLSSO-65 CLONE - Session lost & authentication... Closed
relates to MGNLSSO-56 Session lost & authentication broken ... Closed
causality
Template:
Acceptance criteria:
Empty
Task DoD:
[X]* Doc/release notes changes? Comment present?
[X]* Downstream builds green?
[X]* Solution information and context easily available?
[X]* Tests
[X]* FixVersion filled and not yet released
[ ]  Architecture Decision Record (ADR)
[X]* ticket to revert https://git.magnolia-cms.com/projects/INTERNAL/repos/demo.magnolia-cms.com/commits/16d0672e1279c9cf3d05d73452ce00e04ace3939 [Federico Grilli]
Bug DoR:
[X]* Steps to reproduce, expected, and actual results filled
[X]* Affected version filled
Release notes required:
Yes
Date of First Response:
Sprint: Maintenance 62, Maintenance 62
Story Points: 5

 Description   

Steps to reproduce

  1. Open https://demo.magnolia-cms.com/
  2. Fill in credentials on login page
  3.  Inspect network in browser

Expected results

  1. Request is only redirect to original URL I've entered (https://demo.magnolia-cms.com/) after login.

Actual results

  1. The request is redirected to http, then back to https.
  2. Since Chrome v90, this works only if cross site cookies are allowed.

Workaround

<CookieProcessor sameSiteCookies="None" />

Development notes

LoginFilter#getRedirectLocation redirects to absolute URL in case of the self redirect (to the browser URL user accessed before login and which was forwarded to login page), which might be http behind proxy although the browser uses https. Changing this to relative (URI) might fix the issue.

Quickfix applied to demo https://git.magnolia-cms.com/projects/INTERNAL/repos/demo.magnolia-cms.com/pull-requests/52/commits/fee6debafd3d91d0f838989fdc0f0056ceadfe8e#magnolia-demo-setup-module/src/main/java/info/magnolia/demosetup/DemoLoginFilter.java

Logout suffers from the same issue https://git.magnolia-cms.com/projects/PLATFORM/repos/main/browse/magnolia-core/src/main/java/info/magnolia/cms/security/LogoutFilter.java#98



 Comments   
Comment by Espen Jervidalo [ 03/Jun/21 ]

+1

After releasing this, these commits can get reverted:
https://git.magnolia-cms.com/projects/INTERNAL/repos/demo.magnolia-cms.com/commits/33a7b6e40a332399f6b549e3d2baa6bb40877231
https://git.magnolia-cms.com/projects/INTERNAL/repos/demo.magnolia-cms.com/commits/fee6debafd3d91d0f838989fdc0f0056ceadfe8e

Comment by Espen Jervidalo [ 03/Jun/21 ]

Actually, this workaround might not work: <CookieProcessor sameSiteCookies="None" />

Instead, remove the line completely.

Comment by Hua Tien Chanh [ 04/Jun/21 ]

I have a side note if we plan to omit the protocol in the redirect URL (eg. using relative path): if the login process involves Idp (eg. Okta, Keycloak), the Idp Provider would require the redirect URL whitelisted and it requires an absolute URL. It could be an issue when integrating with the SSO module.

There is some reference in this context:
https://git.magnolia-cms.com/projects/CLOUD/repos/magnolia-cloud/pull-requests/79/overview?commentId=77689

https://jira.magnolia-cms.com/browse/CLOUD-31

 

Comment by Roman Kovařík [ 04/Jun/21 ]

To prevent confusion, I've updated the description:

in case or the self redirect (to the browser URL user accessed before login and which was forwarded to login page)

So this is not about any other custom redirect which can still be absolute or relative, depending on mgnlReturnTo parameter.

Generated at Mon Feb 12 04:29:46 CET 2024 using Jira 9.4.2#940002-sha1:46d1a51de284217efdcb32434eab47a99af2938b.