IdentityServer4 icon indicating copy to clipboard operation
IdentityServer4 copied to clipboard
verified publisher icon IdentityServer

Response of "connect/authorize/callback" sends ConsentResponse cookie

Open msschl opened this issue 4 years ago • 1 comments

Although consent is not required (set by the client settings), the "connect/authorize/callback" endpoints sends a cookie named "ConsentResponse.{Id}"=.

Set-Cookie: ConsentResponse.Mpe9ObwEdnlkUYGDrt6DzwVcKpt--sfnaYI2te6clq0=.; expires=Fri, 31 Dec 1999 23:00:00 GMT; path=/; secure; httponly

I traced this down to the MessageCookie.ClearByCookieName function which always sets the content of the cookie to ., regardless of whether the cookie even exists in the first place or not.

My observations: In the final block of the ProcessAuthorizeRequestAsync method in the AuthorizeEndpointBase.cs class a call to the consent response store delete async method is made. This method calls the Clear method on the MessageCookie<ConsentResponse> class, which finally calls the Clear method on the MessageCookie class.

Suggestion: Add a check whether the cookie is event present on the request before trying to clear the cookie.

msschl avatar Oct 19 '21 17:10 msschl

Basically performing a simple if before clearing

private void ClearByCookieName(string name)
{
    if (!_context.HttpContext.Request.Cookies[name].IsPresent())
        return;
        
    _context.HttpContext.Response.Cookies.Append(
        name,
        ".",
        new CookieOptions
        {
            Expires = new DateTime(2000, 1, 1),
            HttpOnly = true,
            Secure = Secure,
            Path = CookiePath,
            IsEssential = true
        });
}

msschl avatar Oct 19 '21 17:10 msschl

Is this fixed?

msschl avatar Dec 12 '22 13:12 msschl

If this was acknowledged as a bug, it has been fixed in the new repo:

https://github.com/DuendeSoftware/IdentityServer

leastprivilege avatar Dec 13 '22 07:12 leastprivilege