-
Notifications
You must be signed in to change notification settings - Fork 49
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Mellon Cookie is lost in Internet Explorer #47
Comments
I would check the settings of those cookies. Is the secure flag properly set and the domain and path correct? |
Yes everything is set correctly when traced in the developers tool. The cookie secure is on. It works in Edge not in IE for some reason. |
Alright. In any case this is then an issue with that browser that we as Mellon project cannot really debug remotely. Maybe the developer toolbar can give some hints as to why the cookies are dropped. |
I have seen another issue in the old repository where some users keep getting bad request but not sure how they resolved it. Is there a size limit for the cookie that mellon can define? Maybe IE is getting a very long header and thus dropping the cookie |
It should be evident from the cookies you can see whether they are "long", no? |
It’s not that long. I just tried on edge again right now and got bad error. Sometimes it works and sometimes it doesn’t. I’m not sure where to begin to debug. Can you please help? |
I don't have access to IE11 so I cannot really debug something that happens entirely in that browser, I'm afraid. |
The error occurred in edge as well so I don’t think it’s a browser issue. Apache error log is saying user has disabled cookie or has lost the cookie. |
We also encounter this problem (mainly with Chrome) from time to time. I just encountered it with Chrome 87 / Linux today, but others have reported it for Chrome on other platforms as well. I cannot recall any reports concerning IE or Edge though (which does not prove anything). "Certain" people seem to encounter this specific problem more often than others--which sounds quite weird. Maybe a race condition? It's very hard to get a handle on this one, because it happens so rarely. We are currently using the following version of mod-auth-mellon: |
I finally solved my problem (which I could reproduce in Chrome >= 84 only):
did the trick. We have a cross-domain situation here: IDP on idp.firstdomain.com and SP on sp.seconddomain.com. |
get SameSite=None regardless of samesite setting, unless samesite property is disabled. Addresses latchset#20 and likely latchset#47
Just created a pull request based on my understanding of the documentation and of the code. With the change, the CookieTest will have SameSite=None regardless of the configuration. As a workaround, I also did like @workflo and set the properties:
|
@moihn are you using Okta ? i am facing same issue with exactly same apache log message |
We see this from time-to-time with AzureAD as the IDP. I'm one of the users who experiences it, in Chrome. Since it was happening to me, I had presumed that it was because of cookie header overload because I do a lot of testing, but it seems to happen to other a handful of other users too. |
No, it is not with Okta. Seems to be with PingIdentity SSO, not so sure as we are only at SP side. |
I think this two lines that forced SameSite=None, which is the curprit: If SameSite=None is needed, people should just configure |
I currently have to use |
We've been having the same issue, at least in Chrome and Edge. I'm going to try @moihn 's BrowserMatch setting above. Our Mellon settings: `AuthType Mellon RewriteEngine On The error in Apache: "User has disabled cookies, or has lost the cookie before returning from the SAML2 login server" We are using Azure AD as our IDP. |
The issue seems to be caused by forcing @moihn thanks for your workaround 👍 |
Hello,
we have configured our Apache using the mellon auth to use samle2.0 in our company.
Our test index page is redirected successfully after authentication in Edge. However, in IE11 which is used heavily in our company returns bad request error. The SSL error log says “User has disabled cookies or has lost the cookie before returning from SAML2.0 login server. Referer:[a web page]
I have used the developer tool network tab in IE and saw that mellon-cookie is set to cookietest at some point and never set to a session id later. The communication is stuck at the postResponse endpoint.
Please help. Thanks!
The text was updated successfully, but these errors were encountered: