bug: _session cookie of deleted user not invalidated, feature: cookie max-age #765
Comments
|
In order to don't break the user sign-in flow after a user deletion, we should either:
on iOS a temp workaround to this issue is to set ephimeralSession true, but is not possible on Android and also is not something nice, since the browser have stored the connectors account (like AppleID / Gmail) to be easily tapped |
|
I tried to pass |
|
Is there any update about? |
|
@michelerenzullo I'll take a look soon. |
|
Hi @michelerenzullo, I attempted to reproduce the issue but was unsuccessful. Here's my process:
Result: I was redirected to the sign-in page. The password form appeared without any errors. This behavior is expected because the server automatically invalidates and clears the session for the deleted user. Let me know if you need any clarification or if you'd like me to try a different approach. |
|
Hi @wangsijie , I believe there is something different in your environment, for app I mean any android or iOS application . The "_session" cookie is stored in Cookie Tab of Chrome or Safari (you can use Dev tools and remote debugging from your laptop). Even if you delete local storage, the cookie is still present and is erased only when doing an endSession on the endpoint of LogTo. Let me know how can I help you to reproduce, I will think something more advanced in a bit. |
|
The _session cookie is still holding the userID information has an hash, because this is verified in LogTo and it throws an error. The _session cookie can't be directly "deleted" because LogTo has no access to Chrome or Safari, only if executing an end session request this is erased, but this option is excluded since (point 2) the user deleted the app |
|
I can confirm that I'll do another test in native application. |
|
Hi, is there any update about this issue? Thank you |
|
Hi @michelerenzullo , I just have a test, but I can't reproduce. session-test.mp4 |
|
That s strange, have you checked if there is the _session cookie? If there isn't this explain why your app is still able to sign in again. I tested with Flutter. I will do a screen record. |
|
@xiaoyijun I created a similar test to yours, using an android emulator and a test app (flutter based), the cookie is kept stored in WebView Shell, so the bug persist in the same way as I described initially. In your test you are using native layer Android, so perhaps you are not launching a Tab in an external browser (doesn't matter if is WebView Shell / Chrome / Firefox / Safari iOS...), so somehow the In the video the "browser" is WebView Shell, but I can create the same test using Chrome and showing the same behaviour, where only deleting the cookie _session solve the issue (or generally speaking all data). The issue is not actually the _session cookie, is that, LogTo backend try to parse the info inside this cookie, when it should not parse (since 'login' prompt), or it should safely "ignore" since are pointing to a deleted user, rather than reject, returning an "invalid_grant" error 2024-07-30.20.00.36.mp4 |
|
Is there any update about? I can try to provide more info if can be helpful to you |
|
We are still unable to reproduce this in native SDKs, we are now trying to do it again with flutter SDK. |
|
@michelerenzullo are you using Logto Flutter SDK? |
|
I'm using flutter_appauth plugin, but I don't think makes any difference as long as it is flutter and not native SDKs. I can try to replicate with LogTo Flutter SDK as well to confirm. |
|
No worries, just want to confirm the native environment you have. As for all Logto native SDKs (including Flutter), we do not store login session cookies to the WebView. E.g. Swift SDK we have the ephimeralSession set to true. That is probably why @wangsijie and @xiaoyijun couldn't reproduce this issue. |
|
while this might be true for Swift SDK, using under the hood by default ephimeralSession, this is not true for LogTo Dart SDK, I just verified, LogTo Dart SDK stores for 14 days the _session cookie, I used |
|
I want to let you know that I found a workaround for my situation that does the job but I strongly believe that a more good / elegant approach should be done from your side, in the backend, my solution is to force an endSession when invalid_grant is detected during signIn or during refresh tokens (well actually both are the same thing under the hood). Reference here end session wipe out _session cookie but is not the best approach in my opinion |
Problem:
There is a specific circumstance where it's impossible to sign-in anymore till the deletion of
_sessioncookie in Chrome(Android) or Safari(iOS), even if theprompt=login.Related issue here openid/AppAuth-Android#874 and how it is solved
Steps to reproduce the issue, assuming you have a signin with auto code exchange and
prompt=login, i.e should always force a new login:PlatformException(authorize_and_exchange_code_failed, Failed to authorize: [error: invalid_grant, description: grant request is invalid], null, null)What would be the correct flow:
prompt=loginshould be a guarantee that any (corrupted or not corrupted)_session cookie previously stored in the browser won't prevent you to login againExplanations:
_sessioncookie that points to "dead" user information (deleted). The user will not be able to login anymore till he manually delete the_sessioncookie in Chrome.Possible solution:
max_age: 0along withprompt=login, so that the_sessioncookie auto-expire. In the specs there is actually an OpenID param called max-age or max-auth-age but I'm not sure LogTo implement it.You can notice, in the photo below that
_sessionis valid for 2 weeks from login, it should be always 0 whenprompt=loginis usedThe text was updated successfully, but these errors were encountered: