[BUG] Two auth_tkt cookies created after login

[oyvindskj]

Describe the bug
Using Azure AD for SSO with CKAN, two auth_tkt cookies are created after login. They are equal, but with different domain:

• cookie1: test-data.mydomain.com
• cookie2: .test-data.mydomain.com

When logging out, only cookie2 is deleted, leaving cookie1 to keep my session towards CKAN alive. If I try logout again, Azure says I am already logged out and cookie1 remains active.

ckanext-saml2auth version affected
v1.2.1

Expected behaviour
To be logged out of CKAN when I click "Log out"

[duskobogdanovski]

Hey @oyvindskj, could you please provide more details because i'm not able to reproduce the issue, thanks.

[oyvindskj]

Hi @duskobogdanovsk. What I see is that when Azure does the callback
POST https://test-data.mydomain.com/acs
which then returns 302 with header location: https://test-data.mydomain.com/user/me, there are 3 response headers like this:

• set-cookie: auth_tkt="some-value"; HttpOnly; Path=/; SameSite=Lax; Secure
• set-cookie: auth_tkt="some-value"; Domain=test-data.mydomain.com; HttpOnly; Path=/; SameSite=Lax; Secure
• set-cookie: auth_tkt="some-value"; Domain=.test-data.mydomain.com; HttpOnly; Path=/; SameSite=Lax; Secure

some-value is equal across the three headers. I looked in the SAML body that was posted, but could not find any .test there. Can it be some misconfiguration of our CKAN?

[duskobogdanovski]

@oyvindskj, the leading dot means that the cookie is valid for subdomains as well; nevertheless recent HTTP specifications (RFC 6265) changed this rule so modern browsers should not care about the leading dot. The dot may be needed by old browser implementing the deprecated RFC 2109.
Could you please verify that after you log out: ckan and auth_tkt cookies are deleted?

[oyvindskj]

@duskobogdanovski This is described in the initial issue: Only one of the two auth_tkt cookies are deleted. Also, the ckan cookie remains. I am using Chrome 93.0.4577.82.

[mbocevski]

@oyvindskj this is quite peculiar, cause the behavior is correct, cookies are set and managed by core CKAN, you can see that even tests expect the same behavior https://github.com/ckan/ckan/blob/0ab924d5ea331625bd61a805f23c68a17f028193/ckan/tests/lib/test_auth_tkt.py. However it could be a real bug/issue, so would be great to know which CKAN core version you're running.

[oyvindskj]

2.9.3 is our CKAN version @mbocevski

/api/3/action/status_show
gives
{ "success": true, "result": { "site_url": "https://test-data.mydomain.com", "ckan_version": "2.9.3", "error_emails_to": null, "locale_default": "nb_NO", "extensions": [ "scheming_datasets", "pages", "dcat", "stats", "text_view", "image_view", "recline_view", "recline_graph_view", "recline_grid_view", "recline_map_view", "datastore", "datapusher", "resource_proxy", "pdf_view", "hidegroups", "saml2auth" ] } }

I removed two extensions we have developed ourself.

[oyvindskj]

Let me know if there is something I can do to help. I tried with Edge as well - same behaviour.