From b8ee52d250c202db86957f427442225fada12a69 Mon Sep 17 00:00:00 2001 From: Daniel Wachter Date: Wed, 24 Jan 2024 15:04:10 +0200 Subject: [PATCH] Fix request tracker cookie delete Currently when stopping tracking a request the SP tried to delete the relevant cookie by setting it again with an empty value and and expired time. This doesn't work since the path doesn't match the one of the original cookie. Fixed by setting the delete cookie path using the same ACS path. --- samlsp/middleware_test.go | 2 +- samlsp/request_tracker_cookie.go | 1 + 2 files changed, 2 insertions(+), 1 deletion(-) diff --git a/samlsp/middleware_test.go b/samlsp/middleware_test.go index fdb05b20..f93de519 100644 --- a/samlsp/middleware_test.go +++ b/samlsp/middleware_test.go @@ -409,7 +409,7 @@ func TestMiddlewareCanParseResponse(t *testing.T) { assert.Check(t, is.Equal("/frob", resp.Header().Get("Location"))) assert.Check(t, is.DeepEqual([]string{ - "saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6=; Domain=15661444.ngrok.io; Expires=Thu, 01 Jan 1970 00:00:01 GMT", + "saml_KCosLjAyNDY4Ojw-QEJERkhKTE5QUlRWWFpcXmBiZGZoamxucHJ0dnh6=; Path=/saml2/acs; Domain=15661444.ngrok.io; Expires=Thu, 01 Jan 1970 00:00:01 GMT", "ttt=" + test.expectedSessionCookie + "; " + "Path=/; Domain=15661444.ngrok.io; Max-Age=7200; HttpOnly; Secure"}, resp.Header()["Set-Cookie"])) diff --git a/samlsp/request_tracker_cookie.go b/samlsp/request_tracker_cookie.go index d9189f63..156ee157 100644 --- a/samlsp/request_tracker_cookie.go +++ b/samlsp/request_tracker_cookie.go @@ -67,6 +67,7 @@ func (t CookieRequestTracker) StopTrackingRequest(w http.ResponseWriter, r *http cookie.Value = "" cookie.Domain = t.ServiceProvider.AcsURL.Hostname() cookie.Expires = time.Unix(1, 0) // past time as close to epoch as possible, but not zero time.Time{} + cookie.Path = t.ServiceProvider.AcsURL.Path http.SetCookie(w, cookie) return nil }