Cookie used to send auth token to front-end after SAML sign-on scoped to wrong domain #116

ryanhofdotgov · 2018-05-07T18:50:52Z

After successful SAML sign-on, the backend sets a cookie in the redirect response, but the cookie is scoped to the fully-qualified domain name (FQDN) of the frontend. The backend has no authority to do that, and so the browser does not expose the cookie to the frontend on the subsequent request.

I believe that this wasn't caught during the initial development because testing was done using localhost as the FQDN for the frontend and backend.

The text was updated successfully, but these errors were encountered:

Fixes #116 - set cookie domain via COOKIE_DOMAIN

ryanhofdotgov added the bug label May 7, 2018

ryanhofdotgov self-assigned this May 7, 2018

ryanhofdotgov closed this as completed in 67227de May 10, 2018

ryanhofdotgov added a commit that referenced this issue May 10, 2018

Merge pull request #117 from 18F/116-fix-cookie-domain

ca614c4

Fixes #116 - set cookie domain via COOKIE_DOMAIN

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

Cookie used to send auth token to front-end after SAML sign-on scoped to wrong domain #116

Cookie used to send auth token to front-end after SAML sign-on scoped to wrong domain #116

ryanhofdotgov commented May 7, 2018

Cookie used to send auth token to front-end after SAML sign-on scoped to wrong domain #116

Cookie used to send auth token to front-end after SAML sign-on scoped to wrong domain #116

Comments

ryanhofdotgov commented May 7, 2018