This topic has 8 replies, 2 voices, and was last updated 6 years, 4 months ago by bertalanvoros.

  • Author
    Posts
  • #10790
     bertalanvoros
    Participant

    Hello All,

    I am trying to set up one of our applications behind OpenIG.
    All is well except for a weird thing with the cookie set by the application.

    When the application is accessed directly, the cookie gets an expiration date.
    Via OpenIG it just has “session” in the same field.

    Should a cookie filter be used on the chain that has the client handler?
    Should it be set to relay all cookies?

    Thank you in advance,

    #10793

    Can you show the cookies you expect and what you actually see ?

    #10797
     bertalanvoros
    Participant

    Set-Cookie:.ABCDEFGHONLINE=14E6C702CBCC5DBC5E995DEA3EF69D4284BE9AA5A30992A4B89523B699CEA9D2D63B6C42CE9D95CA5E9FA993AD20EA13BC4B964959D05D296EF2235CB307B8FC63CB6C7EF7BF8DA44BD5A4AE51BF086919C461CD36D956693C6DB392B117613D491084A11F892748E164F3D43865628482601D7E073AE1A3ECC3602F6A920C38B1B3CB8B30BC6D9587ABE42A6D9A09863FB8CDE868ABD1BA05467632C84926C524B0CEE70687600F949897C0AC8B1113449B537645FA55EF822A06920D84E490A7E62E31898AFB0CE632387AD3D86084B25E82C9042ABEB65B7A8B521CF0363A521FB846E7FCFB1966287DE6F79E932765B375C0; domain=.mydomain.com; expires=Thu, 02-Jun-2016 14:32:31 GMT; path=/; HttpOnly

    Set-Cookie:.ABCDEFGHONLINE=07C5321D20533226806F9C1171F8DB2E77F0D582B61337348173506EF019CE7CF8E1F85D202FAC9682C9D16B4A24E6A421120909D6CACCDFB710B416481739DBDC5B1CF640FD4D0C7B7952F13DC947900D4CC3E1AC18357ADFC9FCAE37A07C4128D2EB0CC8ED4DB293D0FD1D739B1D2E98F55049D95B489D248C20FEBBFEA971F9C2FAD1300F15EAC4B6A376253D515F26093AC04C31B6C4939E516F7CC5AD44C01F6C952C721B2F1337A7B5711803E12E87D1A6CD3632632526D554D948567EB0742CEE30DE55B1D136CC51C20430287F8D7E644590DEF0397E499C583186D5DB1ECF3B7F763CDE49DE46A81AF2ACB1F50EE5D7; Path=/; Domain=.mydomain.com; HttpOnly

    #10804

    so first one is the one you received from your protected application, and the second one is what your user-agent receive ?

    #10805
     bertalanvoros
    Participant

    The first one is one I am getting when going directly. The second one is one via OpenIG.

    I have also set up a route for this that does not do anything, just a ClientHandler and have the same behaviour.

    Example request and response from the ClientHandler log.

    --- (request) id:be59bb2c-a8a4-4411-a209-838e9ffa2914-21 --->
    
    POST https://site.mydomain.com:443/security/signin?returnUrl=/ HTTP/1.1
    accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    accept-encoding: gzip, deflate, br
    accept-language: en;q=1,hu;q=0.9,en-US;q=0.8
    cache-control: max-age=0
    content-length: 60
    content-type: application/x-www-form-urlencoded
    cookie: _selectedBulletinBoard=12; amlbcookie=01; iPlanetsiteoryPro=AQIC5wM2LY4SfcwePAeHTJb02DR9XZ7w7zQYRiF6kOcA_pw.*AAJTSQACMDIAAlNLABQtMzEzNDQ0NjYyMzQ1Nz
    QyMTUxMQACUzEAAjAx*; JSESSIONID=FE410EA4F0581E5CDE575E3C92EF8D80; __utmt=1; __utma=1.197270527.1464271289.1464280423.1464340655.3; __utmb=1.7.10.1464340655;
    __utmc=1; __utmz=1.1464340655.3.3.utmcsr=login.mydomain.com|utmccn=(referral)|utmcmd=referral|utmcct=/openam/XUI/
    host: site.mydomain.com
    origin: https://site.mydomain.com
    referer: https://site.mydomain.com/Security/SignIn?ReturnUrl=%2f
    upgrade-insecure-requests: 1
    user-agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
    
    [entity]
    
    FRI MAY 27 10:49:26 BST 2016 INFO @Capture[SSLClientHandler] ---
    
    <--- (response) id:be59bb2c-a8a4-4411-a209-838e9ffa2914-21 ---
    
    HTTP/1.1 302 Found
    Cache-Control: private, no-store
    Content-Length: 118
    Content-Type: text/html; charset=utf-8
    Date: Fri, 27 May 2016 09:49:25 GMT
    Location: /
    Set-Cookie: .ABCDEFGHONLINE=7299DA10CDD7BE3FC655E32598C08A9B838D65F0BB7AAC057BFF6861FDDCCEA18A242597654CD89EDD430FC150AA61113110413E9BBC6AEEC4514E282F1FF97D
    9BEE5798162368ABC82B2EB180A54DF6303C16BAF024F1467014CE3000486EB270B9E7BDE509C806021E0C764E3E40CFE4D2C0A7BB2249BFE88BCCAC509A2DEDB3C492E97E9A2E40A85E796DF4DB6
    F356ACDA16735E55CA14FCDAC5318429392AD1B729E13019ACD05F1F98A1EF69FCB349278A65CAA8F87E41326552E51763922E6482B4A85BDB1BB5B54C8B4013980EEB87EA4AC4D177439A44ED97B
    6379DD9E3D1F251D2BD3285C8898B92D33FEE6FB345353; Path=/; Domain=.mydomain.com; HttpOnly
    
    [entity]
    
    FRI MAY 27 10:49:26 BST 2016 INFO @Capture[SSLClientHandler] ---
    #10806

    Thanks for the data

    By default, OpenIG, doesn’t change the response in any way: cookies are just headers after all and IG do not change them.

    Could you capture as well the full request and response you have when contacting the application directly ?

    #10808
     bertalanvoros
    Participant
    Request URL:https://site.mydomain.com/security/signin?returnUrl=%2F
    Request Method:POST
    Status Code:302 Found
    Remote Address:10.20.30.40:443
    Response Headers
    HTTP/1.1 302 Found
    Cache-Control: private, no-store
    Content-Type: text/html; charset=utf-8
    Date: Fri, 27 May 2016 10:56:03 GMT
    Location: /
    Set-Cookie: .ABCDEFGHONLINE=0EB0A311375FDB24D452443D478168A85721F314A09647F5EF67E6B19D5222D1151D27E5206CCA243CBA92455116B296391391C892E4D7308C76E2016A215EA6A3C555EB00CB9D119952F2E3ABD97018349D9F83A0C10543093F7017B4F26BE133C177C07655B0A7B771B500A730A6A7B39AA1C99289888ADE2A1261059986FEFB00B7ADC6EC650A1E5AC64E55EC83D4493476A58ED1CD5110F3986DA24AA3FD199BB343F305F9ED75BAED885090A8EE157326FB1F0D2C663BFD820928F56284DFA181846BE57B12D617CD286901A5436622A8E275798F76CB12937C0415D882C2392F13E41DD8094375E3A53B22F08A33F75A6F; domain=.mydomain.com; expires=Fri, 03-Jun-2016 10:56:03 GMT; path=/; HttpOnly
    Content-Length: 118
    Connection: keep-alive
    Request Headers
    POST /security/signin?returnUrl=%2F HTTP/1.1
    Host: site.mydomain.com
    Connection: keep-alive
    Content-Length: 60
    Pragma: no-cache
    Cache-Control: no-cache
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Origin: https://site.mydomain.com
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
    Content-Type: application/x-www-form-urlencoded
    Referer: https://site.mydomain.com/Security/SignIn?ReturnUrl=%2f
    Accept-Encoding: gzip, deflate, br
    Accept-Language: en,hu;q=0.8,en-US;q=0.6
    Cookie: __utmt=1; __utma=1.1226314700.1464346539.1464346539.1464346539.1; __utmb=1.2.9.1464346539; __utmc=1; __utmz=1.1464346539.1.1.utmcsr=(site)|utmccn=(site)|utmcmd=(none)
    Query String Parameters
    returnUrl=%2F
    Form Data
    username=user.name%40mydomain.com&password=MyPassword1%23
    
    Request URL:https://site.mydomain.com/
    Request Method:GET
    Status Code:200 OK
    Remote Address:10.20.30.40:443
    Response Headers
    HTTP/1.1 200 OK
    Cache-Control: private, no-store
    Content-Encoding: gzip
    Content-Type: text/html; charset=utf-8
    Date: Fri, 27 May 2016 10:56:03 GMT
    Set-Cookie: _culture=en-GB; path=/
    Vary: Accept-Encoding
    Content-Length: 15454
    Connection: keep-alive
    Request Headers
    GET / HTTP/1.1
    Host: site.mydomain.com
    Connection: keep-alive
    Pragma: no-cache
    Cache-Control: no-cache
    Accept: text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8
    Upgrade-Insecure-Requests: 1
    User-Agent: Mozilla/5.0 (Windows NT 10.0; WOW64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/50.0.2661.102 Safari/537.36
    Referer: https://site.mydomain.com/Security/SignIn?ReturnUrl=%2f
    Accept-Encoding: gzip, deflate, sdch, br
    Accept-Language: en,hu;q=0.8,en-US;q=0.6
    Cookie: __utmt=1; __utma=1.1226314700.1464346539.1464346539.1464346539.1; __utmb=1.2.9.1464346539; __utmc=1; __utmz=1.1464346539.1.1.utmcsr=(site)|utmccn=(site)|utmcmd=(none); .ABCDEFGHONLINE=0EB0A311375FDB24D452443D478168A85721F314A09647F5EF67E6B19D5222D1151D27E5206CCA243CBA92455116B296391391C892E4D7308C76E2016A215EA6A3C555EB00CB9D119952F2E3ABD97018349D9F83A0C10543093F7017B4F26BE133C177C07655B0A7B771B500A730A6A7B39AA1C99289888ADE2A1261059986FEFB00B7ADC6EC650A1E5AC64E55EC83D4493476A58ED1CD5110F3986DA24AA3FD199BB343F305F9ED75BAED885090A8EE157326FB1F0D2C663BFD820928F56284DFA181846BE57B12D617CD286901A5436622A8E275798F76CB12937C0415D882C2392F13E41DD8094375E3A53B22F08A33F75A6F
    #10817
     bertalanvoros
    Participant

    Would/Could the j2ee agent have an impact on this?
    OpenIG is being protected by the j2ee agent.

    #10819
     bertalanvoros
    Participant

    I have just quickly tested this configuration on another OpenIG server that does not have the j2ee agent configured.
    Even though the cookie set is the same, the protected application doesn’t exhibit the problem like it does via the other server.

    So it looks like the problem I am experiencing has something to do with the j2ee agent.

Viewing 9 posts - 1 through 9 (of 9 total)

You must be logged in to reply to this topic.

©2022 ForgeRock - we provide an identity and access platform to secure every online relationship for the enterprise market, educational sector and even entire countries. Click to view our privacy policy and terms of use.

Log in with your credentials

Forgot your details?