[MAGNOLIA-8112] Login/logout redirects from https to http if behind proxy Created: 03/Jun/21 Updated: 04/Jul/21 Resolved: 18/Jun/21 |
|
| Status: | Closed |
| Project: | Magnolia |
| Component/s: | None |
| Affects Version/s: | 6.2.9 |
| Fix Version/s: | 6.2.10 |
| Type: | Bug | Priority: | Critical |
| Reporter: | Roman Kovařík | Assignee: | Federico Grilli |
| Resolution: | Fixed | Votes: | 0 |
| Labels: | maintenance | ||
| Remaining Estimate: | Not Specified | ||
| Time Spent: | Not Specified | ||
| Original Estimate: | Not Specified | ||
| Issue Links: |
|
||||||||||||||||
| Template: | |||||||||||||||||
| Acceptance criteria: |
Empty
|
||||||||||||||||
| Task DoD: |
[X]*
Doc/release notes changes? Comment present?
[X]*
Downstream builds green?
[X]*
Solution information and context easily available?
[X]*
Tests
[X]*
FixVersion filled and not yet released
[ ] 
Architecture Decision Record (ADR)
[X]*
ticket to revert https://git.magnolia-cms.com/projects/INTERNAL/repos/demo.magnolia-cms.com/commits/16d0672e1279c9cf3d05d73452ce00e04ace3939
[Federico Grilli]
|
||||||||||||||||
| Bug DoR: |
[X]*
Steps to reproduce, expected, and actual results filled
[X]*
Affected version filled
|
||||||||||||||||
| Release notes required: |
Yes
|
||||||||||||||||
| Date of First Response: | |||||||||||||||||
| Sprint: | Maintenance 62, Maintenance 62 | ||||||||||||||||
| Story Points: | 5 | ||||||||||||||||
| Description |
Steps to reproduce
Expected results
Actual results
Workaround<CookieProcessor sameSiteCookies="None" /> Development notesLoginFilter#getRedirectLocation redirects to absolute URL in case of the self redirect (to the browser URL user accessed before login and which was forwarded to login page), which might be http behind proxy although the browser uses https. Changing this to relative (URI) might fix the issue. Logout suffers from the same issue https://git.magnolia-cms.com/projects/PLATFORM/repos/main/browse/magnolia-core/src/main/java/info/magnolia/cms/security/LogoutFilter.java#98 |
| Comments |
| Comment by Espen Jervidalo [ 03/Jun/21 ] |
|
+1 After releasing this, these commits can get reverted: |
| Comment by Espen Jervidalo [ 03/Jun/21 ] |
|
Actually, this workaround might not work: <CookieProcessor sameSiteCookies="None" /> Instead, remove the line completely. |
| Comment by Hua Tien Chanh [ 04/Jun/21 ] |
|
I have a side note if we plan to omit the protocol in the redirect URL (eg. using relative path): if the login process involves Idp (eg. Okta, Keycloak), the Idp Provider would require the redirect URL whitelisted and it requires an absolute URL. It could be an issue when integrating with the SSO module. There is some reference in this context: https://jira.magnolia-cms.com/browse/CLOUD-31
|
| Comment by Roman Kovařík [ 04/Jun/21 ] |
|
To prevent confusion, I've updated the description:
So this is not about any other custom redirect which can still be absolute or relative, depending on mgnlReturnTo parameter. |