Duplicate continuity cookies cause requests to fail #2121
Assignees
Labels
bug
Something is not working.
Comments
aeneasr
added a commit
to ory/nosurf
that referenced
this issue
Jan 8, 2022
Resolves an issue where, when multiple CSRF cookies are set, a random one would be used to verify the CSRF token. Now, regardless of how many conflicting CSRF cookies exist, if one of them is valid, the request will pass and clean up the cookie store. See ory/kratos#2121 See ory-corp/cloud#1786
aeneasr
added a commit
to ory/nosurf
that referenced
this issue
Jan 8, 2022
Resolves an issue where, when multiple CSRF cookies are set, a random one would be used to verify the CSRF token. Now, regardless of how many conflicting CSRF cookies exist, if one of them is valid, the request will pass and clean up the cookie store. See ory/kratos#2121 See ory-corp/cloud#1786
aeneasr
added a commit
that referenced
this issue
Jan 8, 2022
Resolves an issue where, when multiple CSRF cookies are set, a random one would be used to verify the CSRF token. Now, regardless of how many conflicting CSRF cookies exist, if one of them is valid, the request will pass and clean up the cookie store. See #2121 See ory-corp/cloud#1786
7 tasks
aeneasr
added a commit
that referenced
this issue
Jan 8, 2022
Resolves an issue where, when multiple CSRF cookies are set, a random one would be used to verify the CSRF token. Now, regardless of how many conflicting CSRF cookies exist, if one of them is valid, the request will pass and clean up the cookie store. See #2121 See ory-corp/cloud#1786
aeneasr
added a commit
that referenced
this issue
Jan 8, 2022
Resolves an issue where, when multiple CSRF cookies are set, a random one would be used to verify the CSRF token. Now, regardless of how many conflicting CSRF cookies exist, if one of them is valid, the request will pass and clean up the cookie store. See #2121 See ory-corp/cloud#1786
|
I was able to reproduce this by changing the cookie's signature to something else which means, probably, that the signature will cause a mismatch. In this case, I am consistently able to reproduce this issue. |
|
This would then also explain why, when two cookies are given, and the first one is always a dud, the error does not go away on a retry. That is because the cookie is never updated when there is a cookie match, but a signature mismatch. |
aeneasr
added a commit
that referenced
this issue
Jan 8, 2022
Resolves several reports related to incorrect handling of invalid continuity issues. Closes #2121 Closes ory-corp/cloud#1786 Closes #2016 Potentially #2108
7 tasks
aeneasr
added a commit
that referenced
this issue
Jan 8, 2022
Resolves several reports related to incorrect handling of invalid continuity issues. Closes #2121 Closes ory-corp/cloud#1786 Closes #2016 Potentially #2108
aeneasr
added a commit
that referenced
this issue
Jan 8, 2022
Resolves several reports related to incorrect handling of invalid continuity issues. Closes #2121 Closes ory-corp/cloud#1786 Closes #2016 Potentially #2108
peturgeorgievv
pushed a commit
to senteca/kratos-fork
that referenced
this issue
Jun 30, 2023
Resolves an issue where, when multiple CSRF cookies are set, a random one would be used to verify the CSRF token. Now, regardless of how many conflicting CSRF cookies exist, if one of them is valid, the request will pass and clean up the cookie store. See ory#2121 See ory-corp/cloud#1786
peturgeorgievv
pushed a commit
to senteca/kratos-fork
that referenced
this issue
Jun 30, 2023
Resolves several reports related to incorrect handling of invalid continuity issues. Closes ory#2121 Closes ory-corp/cloud#1786 Closes ory#2016 Potentially ory#2108
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
As experienced multiple times by @amorevino and just captured by @sashatalalasha
Google callback request:
Google callback response headers:
redirects to error page with error:
{ "id": "c7235a89-b79b-4db0-aa7f-0b8c0d565581", "error": { "code": 400, "debug": "Resumable ID from cookie could not be found in the datastore: id=\nrid=\nerror=Unable to locate the resource\nreason=\ndetails=map[]\ndebug=\n\ngithub.com/ory/x/sqlcon.HandleError\n\t/go/pkg/mod/github.com/ory/[email protected]/sqlcon/error.go:68\ngithub.com/ory/kratos/persistence/sql.(*Persister).GetContinuitySession\n\t/go/pkg/mod/github.com/ory/[email protected]/persistence/sql/persister_continuity.go:28\ngithub.com/ory/kratos/continuity.(*ManagerCookie).container\n\t/go/pkg/mod/github.com/ory/[email protected]/continuity/manager_cookie.go:114\ngithub.com/ory/kratos/continuity.(*ManagerCookie).Continue\n\t/go/pkg/mod/github.com/ory/[email protected]/continuity/manager_cookie.go:64\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).validateCallback\n\t/go/pkg/mod/github.com/ory/[email protected]/selfservice/strategy/oidc/strategy.go:253\ngithub.com/ory/kratos/selfservice/strategy/oidc.(*Strategy).handleCallback\n\t/go/pkg/mod/github.com/ory/[email protected]/selfservice/strategy/oidc/strategy.go:297\ngithub.com/ory/kratos/selfservice/strategy.disabledWriter\n\t/go/pkg/mod/github.com/ory/[email protected]/selfservice/strategy/handler.go:25\ngithub.com/ory/kratos/selfservice/strategy.IsDisabled.func1\n\t/go/pkg/mod/github.com/ory/[email protected]/selfservice/strategy/handler.go:30\ngithub.com/ory/kratos/x.NoCacheHandler.func1\n\t/go/pkg/mod/github.com/ory/[email protected]/x/nocache.go:18\ngithub.com/julienschmidt/httprouter.(*Router).ServeHTTP\n\t/go/pkg/mod/github.com/julienschmidt/[email protected]/router.go:387\ngithub.com/ory/nosurf.(*CSRFHandler).handleSuccess\n\t/go/pkg/mod/github.com/ory/[email protected]/handler.go:212\ngithub.com/ory/nosurf.(*CSRFHandler).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/handler.go:169\ngithub.com/urfave/negroni.Wrap.func1\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:46\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\ngithub.com/ory/kratos/x.glob..func1\n\t/go/pkg/mod/github.com/ory/[email protected]/x/clean_url.go:12\ngithub.com/urfave/negroni.HandlerFunc.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:29\ngithub.com/urfave/negroni.middleware.ServeHTTP\n\t/go/pkg/mod/github.com/urfave/[email protected]/negroni.go:38\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerResponseSize.func1\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:198\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerCounter.func1\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:101\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func1\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:68\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerDuration.func2\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:76\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/prometheus/client_golang/prometheus/promhttp.InstrumentHandlerRequestSize.func1\n\t/go/pkg/mod/github.com/prometheus/[email protected]/prometheus/promhttp/instrument_server.go:165\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/ory/x/prometheusx.Metrics.instrumentHandlerStatusBucket.func1\n\t/go/pkg/mod/github.com/ory/[email protected]/prometheusx/metrics.go:108\nnet/http.HandlerFunc.ServeHTTP\n\t/usr/local/go/src/net/http/server.go:2050\ngithub.com/ory/x/prometheusx.(*MetricsManager).ServeHTTP\n\t/go/pkg/mod/github.com/ory/[email protected]/prometheusx/middleware.go:30", "message": "session is not resumable", "reason": "No resumable session could be found in the HTTP Header.", "status": "Bad Request" }, "created_at": "2022-01-07T13:26:09.432572Z", "updated_at": "2022-01-07T13:26:09.432572Z" }The text was updated successfully, but these errors were encountered: