fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard

Published 20 hours ago verified publisher icon FusionAuth

An empty name and empty value cookie is being set (HttpOnly)

Open ivkremer opened this issue 8 months ago • 2 comments

Unused no-name and no-value cookie is set

Description

When I'm navigating to e.g. my-sso.product.com/oauth2/register, there is such a header being set among others:

set-cookie: HttpOnly

I believe there could be a cookie with its name and value and also HttpOnly option but somehow name and value are empty strings and instead of not creating a corresponding header, FA sets such an empty cookie.

Observed versions

1.50.0

Steps to reproduce

  1. Navigate to /oauth2/register?...;
  2. There are three cookies being set among the response headers:
set-cookie: federated.csrf=xxx; HttpOnly; Path=/; SameSite=Lax; Secure
set-cookie: fusionauth.sso=yyy; HttpOnly; Max-Age=2147483647; Path=/; SameSite=Lax; Secure
set-cookie: HttpOnly

Expected behavior

Such a header doesn't exist:

set-cookie: HttpOnly

Platform

Any browser.

Additional context

Some browsers, e.g. Safari would just ignore such a cookie while some other, e.g. Google Chrome would set a cookie with an empty name and HttpOnly as a value.

ivkremer avatar May 29 '24 19:05 ivkremer