Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: Infinite loop if the Csrf cookie is set twice #2606

Open
Primexz opened this issue Apr 10, 2024 · 1 comment · May be fixed by #2607
Open

[Bug]: Infinite loop if the Csrf cookie is set twice #2606

Primexz opened this issue Apr 10, 2024 · 1 comment · May be fixed by #2607
Labels
bug help wanted

Comments

@Primexz
Copy link

Primexz commented Apr 10, 2024

OAuth2-Proxy Version

7.6.0

Provider

None

Expected Behaviour

If I have two invalid CSRF cookies as a user, I expect to be able to log in without deleting my cookies.

Current Behaviour

As soon as the CSRF token is set twice, a user will end up in the endless loop and will no longer be able to log in without deleting their cookies.

Screenshot 2024-04-10 at 15 13 59

Screen.Recording.2024-04-10.at.15.20.30.mov

Steps To Reproduce

  1. Set two cookies with the same name (preferably with two different domains, in this example the wildcard "." was used)
  2. try to log in (you will see a 403)
  3. try to press Login in the error form of the OAuth2 proxy
  4. you will end up on the 403 page again

Possible Solutions

The solution I have in mind is to search all cookies with the correct name to see if a matching CSRF cookie can be found.

Configuration details or additional information

No response
@Primexz Primexz linked a pull request Apr 10, 2024 that will close this issue
Open
4 tasks
@diegopazosrego
Copy link

I solved this bug adding this 2 options in the deployment of Oauth2-proxy @Primexz !

"--cookie-csrf-per-request=true",
"--cookie-csrf-expire=5m",

After add this, you have to restart your deployment.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug help wanted
Projects
None yet
Milestone
No milestone
Development

Successfully merging a pull request may close this issue.

Fix(csrf): fix possible infinite loop Primexz/oauth2-proxy
2 participants
@diegopazosrego @Primexz