Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Mellon Cookie is lost in Internet Explorer #47

Open
alsalehf opened this issue Dec 29, 2020 · 20 comments
Open

Mellon Cookie is lost in Internet Explorer #47

alsalehf opened this issue Dec 29, 2020 · 20 comments

Comments

@alsalehf
Copy link

Hello,

we have configured our Apache using the mellon auth to use samle2.0 in our company.

Our test index page is redirected successfully after authentication in Edge. However, in IE11 which is used heavily in our company returns bad request error. The SSL error log says “User has disabled cookies or has lost the cookie before returning from SAML2.0 login server. Referer:[a web page]

I have used the developer tool network tab in IE and saw that mellon-cookie is set to cookietest at some point and never set to a session id later. The communication is stuck at the postResponse endpoint.

Please help. Thanks!

@thijskh
Copy link

thijskh commented Dec 29, 2020

I would check the settings of those cookies. Is the secure flag properly set and the domain and path correct?

@alsalehf
Copy link
Author

I would check the settings of those cookies. Is the secure flag properly set and the domain and path correct?

Yes everything is set correctly when traced in the developers tool. The cookie secure is on. It works in Edge not in IE for some reason.

@thijskh
Copy link

thijskh commented Dec 29, 2020

Alright. In any case this is then an issue with that browser that we as Mellon project cannot really debug remotely. Maybe the developer toolbar can give some hints as to why the cookies are dropped.

@alsalehf
Copy link
Author

I have seen another issue in the old repository where some users keep getting bad request but not sure how they resolved it. Is there a size limit for the cookie that mellon can define? Maybe IE is getting a very long header and thus dropping the cookie

@thijskh
Copy link

thijskh commented Dec 29, 2020

It should be evident from the cookies you can see whether they are "long", no?

@alsalehf
Copy link
Author

It’s not that long. I just tried on edge again right now and got bad error. Sometimes it works and sometimes it doesn’t. I’m not sure where to begin to debug. Can you please help?

@thijskh
Copy link

thijskh commented Dec 29, 2020

I don't have access to IE11 so I cannot really debug something that happens entirely in that browser, I'm afraid.

@alsalehf
Copy link
Author

The error occurred in edge as well so I don’t think it’s a browser issue. Apache error log is saying user has disabled cookie or has lost the cookie.

@workflo
Copy link

workflo commented Jan 6, 2021

We also encounter this problem (mainly with Chrome) from time to time.
Apache Log says
User has disabled cookies, or has lost the cookie before returning from the SAML2 login server.
and mellon-cookie has the value "cookietest". Retrying login does not work until the cookie is deleted manually or the browser is restarted.

I just encountered it with Chrome 87 / Linux today, but others have reported it for Chrome on other platforms as well. I cannot recall any reports concerning IE or Edge though (which does not prove anything).

"Certain" people seem to encounter this specific problem more often than others--which sounds quite weird. Maybe a race condition? It's very hard to get a handle on this one, because it happens so rarely.

We are currently using the following version of mod-auth-mellon:
libapache2-mod-auth-mellon/stretch-backports,stretch-backports,now 0.14.2-1~bpo9+3 amd64

@workflo
Copy link

workflo commented Mar 10, 2021

I finally solved my problem (which I could reproduce in Chrome >= 84 only):

MellonSecureCookie On
MellonCookieSameSite None

did the trick. We have a cross-domain situation here: IDP on idp.firstdomain.com and SP on sp.seconddomain.com.
I still don't quite understand why Chrome treats mellon-cookie as 3rd-party, but it did and thus didn't send the mellon-cookie=cookietest back on the /mellon/login request.
But, because of https://www.chromestatus.com/feature/5088147346030592 everything worked within the first 2 minutes after first invoking the login page but failed after this magic 2-minute window!

rgriffogoes added a commit to rgriffogoes/mod_auth_mellon that referenced this issue Mar 11, 2021
get SameSite=None regardless of samesite setting, unless samesite
property is disabled.

Addresses latchset#20 and likely latchset#47
@rgriffogoes
Copy link

Just created a pull request based on my understanding of the documentation and of the code. With the change, the CookieTest will have SameSite=None regardless of the configuration.

As a workaround, I also did like @workflo and set the properties:

MellonSecureCookie On
MellonCookieSameSite None`

jhrozek pushed a commit that referenced this issue Mar 19, 2021
get SameSite=None regardless of samesite setting, unless samesite
property is disabled.

Addresses #20 and likely #47
@vladsf
Copy link

vladsf commented May 6, 2021

lax
This is due to POST response. Lax cookies are not sent to /mellon/postResponse. Only GET requests has cookies attached.

@moihn
Copy link

moihn commented Dec 3, 2021

It seems now by default the cookietest will be sent with SameSite=None even if the MellonCookieSameSite is omitted in httpd.conf.

I have these commentted out:

# MellonSecureCookie On
# MellonCookieSameSite None

But my browser developer tool told me:
image

So finally, my SP cannot get this cookie and says:

User has disabled cookies, or has lost the cookie before returning from the SAML2 login server.

This behavior doesn't match with the message in above comment:

get SameSite=None regardless of samesite setting, unless samesite
property is disabled.

In my case, it is the "unless samesite property is disabled", and it should not set SameSite=None, am I right?

On the old 0.14 version, SameSite=None will not be set if I omit MellonCookieSameSite from httpd.conf, I can see that from Chrome developer tool of the same version of Chrome browser:
image

@lbenz
Copy link

lbenz commented Dec 7, 2021

@moihn are you using Okta ? i am facing same issue with exactly same apache log message
User has disabled cookies, or has lost the cookie before returning from the SAML2 login server.
Version of mellon is mod_auth_mellon-0.14.0-8 thus unable to use directives like MellonDiagnostic On or MellonCookieSameSite None.

@MarkJaroski
Copy link

We see this from time-to-time with AzureAD as the IDP. I'm one of the users who experiences it, in Chrome.

Since it was happening to me, I had presumed that it was because of cookie header overload because I do a lot of testing, but it seems to happen to other a handful of other users too.

@moihn
Copy link

moihn commented Jan 10, 2022

@moihn are you using Okta ? i am facing same issue with exactly same apache log message User has disabled cookies, or has lost the cookie before returning from the SAML2 login server. Version of mellon is mod_auth_mellon-0.14.0-8 thus unable to use directives like MellonDiagnostic On or MellonCookieSameSite None.

No, it is not with Okta. Seems to be with PingIdentity SSO, not so sure as we are only at SP side.

@moihn
Copy link

moihn commented Mar 4, 2022

I think this two lines that forced SameSite=None, which is the curprit:
7ef4ae7#diff-f2861001cdce29984f5031aa6ff007f0390c449c818ba5052daf5abfdb20cc48R3268

If SameSite=None is needed, people should just configure MellonCookieSameSite None, the code shouldn't hardcode/force it.

@moihn
Copy link

moihn commented Mar 4, 2022

I currently have to use # BrowserMatch "Chrom* " MELLON_DISABLE_SAMESITE=1 or SetEnv MELLON_DISABLE_SAMESITE 1 in httpd.conf to disable SameSite=None to be set

@sagarkhushalani
Copy link

sagarkhushalani commented Mar 18, 2022

We've been having the same issue, at least in Chrome and Edge. I'm going to try @moihn 's BrowserMatch setting above.

Our Mellon settings:

`AuthType Mellon
MellonEnable auth
MellonEndpointPath /mellon/
MellonSPMetadataFile /etc/httpd/saml/mellon_metadata.xml
MellonSPPrivateKeyFile /etc/pki/tls/private/localhost.key
MellonSPCertFile /etc/pki/tls/certs/localhost.crt
MellonIdPMetadataFile /etc/httpd/saml/idp_metadata.xml
MellonUser "${SAML_USER_ATTRIBUTE}"
MellonSetEnvNoPrefix REMOTE_USER "${SAML_USER_ATTRIBUTE}"

RewriteEngine On
RequestHeader unset "X-Forwarded-User"
RequestHeader unset "X-Forwarded-Groups"
Require valid-user
RequestHeader set X-Remote-User expr=%{REMOTE_USER}
RequestHeader set X-Forwarded-User expr=%{REMOTE_USER}
`

The error in Apache:

"User has disabled cookies, or has lost the cookie before returning from the SAML2 login server"

We are using Azure AD as our IDP.

@piotrp
Copy link

piotrp commented May 18, 2022

The issue seems to be caused by forcing testcookie to be always sent as SameSite=None, even on not-encrypted connections. Using SameSite=None MUST be accompanied by Secure (which implies HTTPS), and some browsers (Chromium-based?) ignore cookies with invalid flags.

@moihn thanks for your workaround 👍

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

10 participants