fusionauth-issues icon indicating copy to clipboard operation
fusionauth-issues copied to clipboard
verified publisher icon FusionAuth

An empty name and empty value cookie is being set (HttpOnly)

Open ivkremer opened this issue 1 year ago • 2 comments

Unused no-name and no-value cookie is set

Description

When I'm navigating to e.g. my-sso.product.com/oauth2/register, there is such a header being set among others:

set-cookie: HttpOnly

I believe there could be a cookie with its name and value and also HttpOnly option but somehow name and value are empty strings and instead of not creating a corresponding header, FA sets such an empty cookie.

Observed versions

1.50.0

Steps to reproduce

  1. Navigate to /oauth2/register?...;
  2. There are three cookies being set among the response headers:
set-cookie: federated.csrf=xxx; HttpOnly; Path=/; SameSite=Lax; Secure
set-cookie: fusionauth.sso=yyy; HttpOnly; Max-Age=2147483647; Path=/; SameSite=Lax; Secure
set-cookie: HttpOnly

Expected behavior

Such a header doesn't exist:

set-cookie: HttpOnly

Platform

Any browser.

Additional context

Some browsers, e.g. Safari would just ignore such a cookie while some other, e.g. Google Chrome would set a cookie with an empty name and HttpOnly as a value.

ivkremer avatar May 29 '24 19:05 ivkremer

Thanks for opening the issue @ivkremer and thank you for using FusionAuth! We'll look into this!

robotdan avatar Jun 07 '24 02:06 robotdan

@ivkremer I was unable to replicate this issue. I tried with both 1.51.2 and 1.50.0 and didn't see it.

Here's how I was testing:

  • install default FusionAuth via docker
  • run curl -D out2 'http://localhost:9011/oauth2/authorize?client_id=3c219e58-ed0e-4b18-ad48-f4f92793ae32&response_type=code&redirect_uri=%2Fadmin%2Flogin&scope=offline_access&code_challenge=fWUxW0iTxqu-zqog6tLPhMrBASW2WLZK25nizhzBqcY&code_challenge_method=S256&state=_7y28LpDFzJ_rYYnMH0a5El33ucHaMhAXE3_oP-Fzd0'

I saw this output:

HTTP/1.1 200 
set-cookie: fusionauth.sso=AoE4zc9ApkB-i6nz_qmzElRkw_adEMj28yjl4eldJcrn; HttpOnly; Max-Age=2147483647; Path=/; SameSite=Lax
transfer-encoding: chunked
x-frame-options: DENY
content-type: text/html; charset=UTF-8
connection: keep-alive
cache-control: no-store

I also tested with Chrome on a mac and saw these headers when looking at the network request:

HTTP/1.1 200
set-cookie: fusionauth.sso=AlUHejpu8AvvieedEKp7I-XSxGXksrUFgcM2p_4q03j0; HttpOnly; Max-Age=2147483647; Path=/; SameSite=Lax
set-cookie: fusionauth.remember-device=QkJCAQaNRRo6JmgTkrrCHY9xZa2kudznw6fBAigUyzmeU2jkWt9ueHAzsecnltJDG2vh7cSZtA62MYphVoR1b4gyumoEt6hUkcKpesM8UHwixuaoQ9WvuVHu8bnId7T2zpssPDATNiCKP2jwuTV8HR2GvsH-a6J7CmWpjevk5i-dfp4AQXEg-LZW7ysC-6O4YALHmA==; HttpOnly; Max-Age=2147483647; Path=/; SameSite=Lax
transfer-encoding: chunked
x-frame-options: DENY
content-encoding: gzip
content-type: text/html; charset=UTF-8
connection: keep-alive
cache-control: no-store

Can you provide more details?

  • are you hosting FusionAuth locally, or in FusionAuth cloud or some other place
  • what configuration, if any, are you doing to FusionAuth
  • can you replicate the issue with curl or does it only happen with browsers
  • any other platform information you can share

Thanks!

mooreds avatar Oct 28 '24 22:10 mooreds