latchset
Mellon + <Location "/">
Howdy,
I'm having an issue with Mellon when it's set to protect an entire website (I.e. <Location "/">.
I have a website at sub.domain.com and I have the "/protected" location set up as per the tutorial which I set to redirect to Azure, sign in, then redirect back to sub.domain.com/mellon/postResponse. This works!
However, if I change the location from /protected to /, it also works, but the requests that originate from sub.domain.com trigger an error page "Bad request" "Your browser sent a request that the server could not understand" at the postResponse stage. If I type in the URL again correctly, it works. If the request is triggered by any other URL e.g. https://sub.domain.com/index.html OR https://sub.domain.com/protected (with the Mellon still protecting Location /), then again it works.
Is this a bug or did I miss a step?
Hi, I'm not a dev on this project, but I tried to use mellon some time ago. The only place it's triggering the bad request is when it drops the cookie. Consider setting MellonCookieSameSite to None and see if that fixes your problem. Also: which version are you running?
Same issue here. The "none" option looks invalid:
AH00526: Syntax error on line 180 of /usr/local/apache2/conf/httpd.conf:
The MellonCookieSameSite parameter must be 'lax' or 'strict'
libapache2-mod-auth-mellon: 0.14.2-1
Tryed to build auth_mellon from this repo, but got stuck in configure and make. :-/
You need to have a Mellon version that can send cookies with SameSite=None (i.e. 0.16.0 and above) in order to reliably work with modern browsers. If you do not know how to build mellon from the repo, I suggest you look at your OS vendor for packages.
