Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fix: Only attempt split_cookie extraction if all of the cookies are present #931

Merged
merged 1 commit into from
Oct 24, 2021

Conversation

carlobeltrame
Copy link
Contributor

@carlobeltrame carlobeltrame commented Oct 4, 2021

Fixes #930

As explained in #930, this isn't a breaking change, because setups with partial cookies couldn't have made sense for anyone before. Some examples:

  • 2 cookies jwt_hp and jwt_s, first one missing: Will result in .eySignature, which is not a valid JWT token (note the leading period)
  • 2 cookies jwt_hp and jwt_s, second one missing: Will result in eyHeader.eyPayload. which is not a valid JWT token (note the trailing period)
  • 2 cookies jwt_complete and optional_suffix, second one missing: Will result in eyHeader.eyPayload.eySignature. which is not a valid JWT token (note the trailing period)
  • 3 cookies jwt_h, jwt_p and jwt_s, middle one missing: Will result in eyHeader..eySignature which is not a valid JWT token (note the two consecutive periods)

So up until now, there is no way someone was successfully using the SplitCookieExtractor with only some of the cookies present.

@carlobeltrame carlobeltrame changed the title Only attempt split_cookie extraction if all of the cookies are present Fix: Only attempt split_cookie extraction if all of the cookies are present Oct 4, 2021
@chalasr
Copy link
Collaborator

chalasr commented Oct 24, 2021

Good catch, thanks @carlobeltrame.

@chalasr chalasr merged commit 7b79a11 into lexik:2.x Oct 24, 2021
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Invalidate split_cookies client-side
2 participants