Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

SessionID changes after redirecting from AAD #10

Open
slovely opened this issue Mar 17, 2021 · 1 comment
Open

SessionID changes after redirecting from AAD #10

slovely opened this issue Mar 17, 2021 · 1 comment

Comments

@slovely
Copy link

slovely commented Mar 17, 2021

No idea if you can help with this, but any ideas would be massively appreciated.

I am using your provider and all seems to be OK, except when it calls back into the provider after authenticating with AD it hits this:

                var state = query["state"];
                if (state != userSession.State)
                {
                    session.IsAuthenticated = false;
                    throw new UnauthorizedAccessException("Mismatched state in code response.");
                }

... and it always fails as .State is null, because the SessionId has changed. Interestingly, the new SessionId is exactly the same as the ID generated in RequestCode:

        {
            var state = Guid.NewGuid().ToString("N");
            userSession.State = state;

At this point I figured maybe something was messed-up our side that was somehow using the 'State' property as the SessionId, so created a custom AuthUserSession with a different property to store the NewGuid() in, so that I could change the code to:

            userSession.MyCustomProperty = state;

but STILL when I return from AD auth it changes the SessionID to that same guid!

Do you have any idea what we might be doing to cause that to happen, or even just an idea on things I can look at?

If I comment-out the check against the state BTW, it all works as expected.
@slovely
Copy link
Author

slovely commented Mar 17, 2021

Always the way, as soon as you ask a question the answer appears :)

            {
                var state = authService.Request.QueryString[Keywords.State];
                if (!string.IsNullOrEmpty(state))
                {
                    (authService.Request.Response as IHttpResponse)?.ClearCookies();
                    authService.Request.CreateTemporarySessionId(state);
                    session = authService.Request.GetSession(reload:true);
                }
            }

We are using SameSiteCookies, which clears the cookies, and creates a new with the ID of the value on the state parameter.

I propose this change, and it will work regardless of the SameSite setting. Let me know if you would like a PR

            private object RequestCode(IServiceBase authService, IAuthSession session, AuthUserSession userSession, IAuthTokens tokens)
            {
                var state = HostContext.Config?.UseSameSiteCookies == true ? session.Id : Guid.NewGuid().ToString("N");
                userSession.State = state;

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@slovely