Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

session is expired when secrets.cookie key is rotated #2272

Closed
5 of 6 tasks
mangalaman93 opened this issue Feb 28, 2022 · 3 comments
Closed
5 of 6 tasks

session is expired when secrets.cookie key is rotated #2272

mangalaman93 opened this issue Feb 28, 2022 · 3 comments
Assignees
@aeneasr
Labels
bug Something is not working.

Comments

@mangalaman93
Copy link

Preflight checklist

Describe the bug

I believe the description for secrets.cookie is not accurate. The link https://www.ory.sh/docs/kratos/reference/configuration has the following description -

 ## Signing Keys for Cookies ##
  #
  # The first secret in the array is used for encrypting cookies while all other keys are used to decrypt older cookies that were signed with that old secret.
  #

whereas the keys provided in this parameter is directly passed to the function from repo https://github.com/gorilla/securecookie which accepts a pair of keys, a hash key and an encryption key.

Reproducing the bug

In order to reproduce the bug, I followed the quickstart and ran kratos with following configuration -

secrets:
  cookie:
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

I opened the self service UI and opened http://127.0.0.1:4455/ in my browser. I created an account and logged in.

Then, I updated the configuration to the following -

secrets:
  cookie:
    - THIS-IS-A-NEW-SECRET-IT-WONT-WORK--
    - PLEASE-CHANGE-ME-I-AM-VERY-INSECURE
  cipher:
    - 32-LONG-SECRET-NOT-SECURE-AT-ALL

The I ran the following command to restart kratos -

docker-compose -f quickstart.yml restart kratos

Then, I went to my browser again and refreshed the page. I was hoping that I will still be logged in but the page showed that login form.

I updated the configuration back to the original configuration, restarted kratos, refreshed the browser page and it showed that I was logged in again.

Relevant log output

No response

Relevant configuration

No response

Version

oryd/kratos:v0.8.0-alpha.3

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Docker Compose

Additional Context

No response
@mangalaman93 mangalaman93 added the bug Something is not working. label Feb 28, 2022
@mangalaman93 mangalaman93 changed the title secrets.cookie session is expired when keys are rotated session is expired when secrets.cookie key is rotated Feb 28, 2022
@mangalaman93
Copy link
Author

I also wonder whether that means cookies are not encrypted if we specify just one key in the secrets.session and whether that is a problem!

@mangalaman93
Copy link
Author

We should update the doc here too if this is accepted https://www.ory.sh/docs/kratos/guides/secret-key-rotation

@aeneasr aeneasr self-assigned this Mar 4, 2022
@aeneasr
Copy link
Member

aeneasr commented Mar 4, 2022

Nice find man, thank you!

aeneasr added a commit that referenced this issue Mar 4, 2022
@aeneasr
fix(session): properly declare session secrets
12de12f 
Previously, a misconfiguration of Gorilla's session store caused incorrect handling of the configured secrets. From now on, cookies will also be properly encrypted at all times.

BREAKING CHANGE: If you are using two or more secrets for the `secrets.session`, this patch might break existing Ory Session Cookies. This has the effect that users will need to re-authenticate when visiting your app.

Closes #2272
@aeneasr aeneasr closed this as completed Mar 4, 2022
aeneasr added a commit that referenced this issue Mar 6, 2022
@aeneasr
fix(session): properly declare session secrets
8f6992d 
Previously, a misconfiguration of Gorilla's session store caused incorrect handling of the configured secrets. From now on, cookies will also be properly encrypted at all times.

BREAKING CHANGE: If you are using two or more secrets for the `secrets.session`, this patch might break existing Ory Session Cookies. This has the effect that users will need to re-authenticate when visiting your app.

Closes #2272
aeneasr added a commit that referenced this issue Mar 6, 2022
@aeneasr
fix(session): properly declare session secrets
cbc4b98 
Previously, a misconfiguration of Gorilla's session store caused incorrect handling of the configured secrets. From now on, cookies will also be properly encrypted at all times.

BREAKING CHANGE: If you are using two or more secrets for the `secrets.session`, this patch might break existing Ory Session Cookies. This has the effect that users will need to re-authenticate when visiting your app.

Closes #2272
aeneasr added a commit that referenced this issue Mar 7, 2022
@aeneasr
fix(session): properly declare session secrets
6312afd 
Previously, a misconfiguration of Gorilla's session store caused incorrect handling of the configured secrets. From now on, cookies will also be properly encrypted at all times.

BREAKING CHANGE: If you are using two or more secrets for the `secrets.session`, this patch might break existing Ory Session Cookies. This has the effect that users will need to re-authenticate when visiting your app.

Closes #2272
peturgeorgievv pushed a commit to senteca/kratos-fork that referenced this issue Jun 30, 2023
@aeneasr
fix(session): properly declare session secrets
f32bbdd 
Previously, a misconfiguration of Gorilla's session store caused incorrect handling of the configured secrets. From now on, cookies will also be properly encrypted at all times.

BREAKING CHANGE: If you are using two or more secrets for the `secrets.session`, this patch might break existing Ory Session Cookies. This has the effect that users will need to re-authenticate when visiting your app.

Closes ory#2272
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@aeneasr aeneasr

Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@mangalaman93 @aeneasr