Skip to content
Snippets Groups Projects
Commit 03c3083f authored by Daniel A.C. Martin's avatar Daniel A.C. Martin Committed by Bruno Oliveira da Silva
Browse files

[KEYCLOAK-10668] Do not set the cookie domain 

By setting the domain attribute on the cookie we were allowing the
cookie to be applied to subdomains where it may not be valid and may
interfere with other services protected by keycloak-gatekeeper.

(For example, a gatekeeper running on https://domain.com could break a
gatekeeper running on https://sub.domain.com .)

Instead, we should simply not set the attribute unless there is
a specific domain configured.

For more information please see section 4.1.2.3 of [RFC 6265].

[RFC 6265]: https://tools.ietf.org/html/rfc6265#section-4.1.2
parent 45207a56
No related branches found
No related tags found
No related merge requests found
Show whitespace changes
Inline Side-by-side
cookies.go
+ 1
1
View file @ 03c3083f
...@@ -28,7 +28,7 @@ import ( ...@@ -28,7 +28,7 @@ import (
// dropCookie drops a cookie into the response // dropCookie drops a cookie into the response
func (r *oauthProxy) dropCookie(w http.ResponseWriter, host, name, value string, duration time.Duration) { func (r *oauthProxy) dropCookie(w http.ResponseWriter, host, name, value string, duration time.Duration) {
// step: default to the host header, else the config domain // step: default to the host header, else the config domain
domain := strings.Split(host, ":")[0] domain := ""
if r.config.CookieDomain != "" { if r.config.CookieDomain != "" {
domain = r.config.CookieDomain domain = r.config.CookieDomain
} }
......
cookies_test.go
+ 10
10
View file @ 03c3083f
...@@ -39,7 +39,7 @@ func TestCookieDomainHostHeader(t *testing.T) { ...@@ -39,7 +39,7 @@ func TestCookieDomainHostHeader(t *testing.T) {
defer resp.Body.Close() defer resp.Body.Close()
assert.NotNil(t, cookie) assert.NotNil(t, cookie)
assert.Equal(t, cookie.Domain, "127.0.0.1") assert.Equal(t, cookie.Domain, "")
} }
func TestCookieBasePath(t *testing.T) { func TestCookieBasePath(t *testing.T) {
...@@ -113,7 +113,7 @@ func TestDropCookie(t *testing.T) { ...@@ -113,7 +113,7 @@ func TestDropCookie(t *testing.T) {
p.dropCookie(resp, req.Host, "test-cookie", "test-value", 0) p.dropCookie(resp, req.Host, "test-cookie", "test-value", 0)
assert.Equal(t, resp.Header().Get("Set-Cookie"), assert.Equal(t, resp.Header().Get("Set-Cookie"),
"test-cookie=test-value; Path=/; Domain=127.0.0.1", "test-cookie=test-value; Path=/",
"we have not set the cookie, headers: %v", resp.Header()) "we have not set the cookie, headers: %v", resp.Header())
req = newFakeHTTPRequest("GET", "/admin") req = newFakeHTTPRequest("GET", "/admin")
...@@ -122,7 +122,7 @@ func TestDropCookie(t *testing.T) { ...@@ -122,7 +122,7 @@ func TestDropCookie(t *testing.T) {
p.dropCookie(resp, req.Host, "test-cookie", "test-value", 0) p.dropCookie(resp, req.Host, "test-cookie", "test-value", 0)
assert.Equal(t, resp.Header().Get("Set-Cookie"), assert.Equal(t, resp.Header().Get("Set-Cookie"),
"test-cookie=test-value; Path=/; Domain=127.0.0.1", "test-cookie=test-value; Path=/",
"we have not set the cookie, headers: %v", resp.Header()) "we have not set the cookie, headers: %v", resp.Header())
req = newFakeHTTPRequest("GET", "/admin") req = newFakeHTTPRequest("GET", "/admin")
...@@ -149,7 +149,7 @@ func TestDropRefreshCookie(t *testing.T) { ...@@ -149,7 +149,7 @@ func TestDropRefreshCookie(t *testing.T) {
p.dropRefreshTokenCookie(req, resp, "test", 0) p.dropRefreshTokenCookie(req, resp, "test", 0)
assert.Equal(t, resp.Header().Get("Set-Cookie"), assert.Equal(t, resp.Header().Get("Set-Cookie"),
refreshCookie+"=test; Path=/; Domain=127.0.0.1", refreshCookie+"=test; Path=/",
"we have not set the cookie, headers: %v", resp.Header()) "we have not set the cookie, headers: %v", resp.Header())
} }
...@@ -162,7 +162,7 @@ func TestSessionOnlyCookie(t *testing.T) { ...@@ -162,7 +162,7 @@ func TestSessionOnlyCookie(t *testing.T) {
p.dropCookie(resp, req.Host, "test-cookie", "test-value", 1*time.Hour) p.dropCookie(resp, req.Host, "test-cookie", "test-value", 1*time.Hour)
assert.Equal(t, resp.Header().Get("Set-Cookie"), assert.Equal(t, resp.Header().Get("Set-Cookie"),
"test-cookie=test-value; Path=/; Domain=127.0.0.1", "test-cookie=test-value; Path=/",
"we have not set the cookie, headers: %v", resp.Header()) "we have not set the cookie, headers: %v", resp.Header())
} }
...@@ -174,7 +174,7 @@ func TestHTTPOnlyCookie(t *testing.T) { ...@@ -174,7 +174,7 @@ func TestHTTPOnlyCookie(t *testing.T) {
p.dropCookie(resp, req.Host, "test-cookie", "test-value", 0) p.dropCookie(resp, req.Host, "test-cookie", "test-value", 0)
assert.Equal(t, resp.Header().Get("Set-Cookie"), assert.Equal(t, resp.Header().Get("Set-Cookie"),
"test-cookie=test-value; Path=/; Domain=127.0.0.1", "test-cookie=test-value; Path=/",
"we have not set the cookie, headers: %v", resp.Header()) "we have not set the cookie, headers: %v", resp.Header())
req = newFakeHTTPRequest("GET", "/admin") req = newFakeHTTPRequest("GET", "/admin")
...@@ -183,7 +183,7 @@ func TestHTTPOnlyCookie(t *testing.T) { ...@@ -183,7 +183,7 @@ func TestHTTPOnlyCookie(t *testing.T) {
p.dropCookie(resp, req.Host, "test-cookie", "test-value", 0) p.dropCookie(resp, req.Host, "test-cookie", "test-value", 0)
assert.Equal(t, resp.Header().Get("Set-Cookie"), assert.Equal(t, resp.Header().Get("Set-Cookie"),
"test-cookie=test-value; Path=/; Domain=127.0.0.1; HttpOnly", "test-cookie=test-value; Path=/; HttpOnly",
"we have not set the cookie, headers: %v", resp.Header()) "we have not set the cookie, headers: %v", resp.Header())
} }
...@@ -194,7 +194,7 @@ func TestClearAccessTokenCookie(t *testing.T) { ...@@ -194,7 +194,7 @@ func TestClearAccessTokenCookie(t *testing.T) {
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
p.clearAccessTokenCookie(req, resp) p.clearAccessTokenCookie(req, resp)
assert.Contains(t, resp.Header().Get("Set-Cookie"), assert.Contains(t, resp.Header().Get("Set-Cookie"),
accessCookie+"=; Path=/; Domain=127.0.0.1; Expires=", accessCookie+"=; Path=/; Expires=",
"we have not cleared the, headers: %v", resp.Header()) "we have not cleared the, headers: %v", resp.Header())
} }
...@@ -204,7 +204,7 @@ func TestClearRefreshAccessTokenCookie(t *testing.T) { ...@@ -204,7 +204,7 @@ func TestClearRefreshAccessTokenCookie(t *testing.T) {
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
p.clearRefreshTokenCookie(req, resp) p.clearRefreshTokenCookie(req, resp)
assert.Contains(t, resp.Header().Get("Set-Cookie"), assert.Contains(t, resp.Header().Get("Set-Cookie"),
refreshCookie+"=; Path=/; Domain=127.0.0.1; Expires=", refreshCookie+"=; Path=/; Expires=",
"we have not cleared the, headers: %v", resp.Header()) "we have not cleared the, headers: %v", resp.Header())
} }
...@@ -214,7 +214,7 @@ func TestClearAllCookies(t *testing.T) { ...@@ -214,7 +214,7 @@ func TestClearAllCookies(t *testing.T) {
resp := httptest.NewRecorder() resp := httptest.NewRecorder()
p.clearAllCookies(req, resp) p.clearAllCookies(req, resp)
assert.Contains(t, resp.Header().Get("Set-Cookie"), assert.Contains(t, resp.Header().Get("Set-Cookie"),
accessCookie+"=; Path=/; Domain=127.0.0.1; Expires=", accessCookie+"=; Path=/; Expires=",
"we have not cleared the, headers: %v", resp.Header()) "we have not cleared the, headers: %v", resp.Header())
} }
......
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Please register or to comment