micronaut-security icon indicating copy to clipboard operation
micronaut-security copied to clipboard
verified publisher icon micronaut-projects

Unexpected SESSION cookie is created under a different path causing unauthorized redirect

Open awesomekosm opened this issue 4 years ago • 2 comments

Expected Behavior

When I am logged in, all of my controllers with @Secured(SecurityRule.IS_AUTHENTICATED) are resolved without throwing unauthorized and redirecting me to login page.

Actual Behaviour

Getting redirected to unauthorized page when navigating to example: /download/name/os because a cookie is created instead of reading existing one.

Steps To Reproduce

micronaut:
  session:
    max-inactive-interval: PT15M
    http:
      redis:
        enabled: true
        # The Redis namespace to write sessions to
        namespace: 'app:sessions'
        # Write session changes in the background
        write-mode: BACKGROUND
        # Disable programmatic activation of keyspace events
        enable-keyspace-events: false
        valueSerializer: io.micronaut.jackson.serialize.JacksonObjectSerializer
      cookie: true
      header: false
      cookie-path: /
  security:
    authentication: session
    redirect:
      prior-to-login: true
      login-success: /
      login-failure: /login/fail
      forbidden.url: /
      unauthorized.url: /login
    enabled: true
    intercept-url-map:
      - pattern: /public/**
        http-method: GET
        access:
          - isAnonymous()
    endpoints:
      login:
        enabled: true
      logout:
        enabled: true

2 controllers

@Validated
@Controller("/")
class HomeController
    @Get("/account")
    @Secured(SecurityRule.IS_AUTHENTICATED)
    @View("home")
    Map<String, Object> account...

@Validated
@Controller("/download")
class DownloadController 
    @Secured(SecurityRule.IS_AUTHENTICATED)
    @Get(value = "/{name}/{os}", consumes = MediaType.TEXT_PLAIN, produces = MediaType.APPLICATION_OCTET_STREAM)
    Single<HttpResponse> downloadGame....

Using chromium 92.0.4515.107 browser call /download/game/os, get redirected to login. Login and call /download/game/os, expect to get your download, but instead get redirected to login page... in chromium debugger clearing site data, logging in again and calling download again ends up working. image

Regarding the SESSION cookie created twice, I commented out unauthorized.url: /login in my application.yml and caught the cookies that exist when calling /download/game/os session_path I really don't expect this since my session cookie should always be on /

Let me know where is the places where a session cookie could be created, can attempt to debug further.

Could be related to not reproduced https://github.com/micronaut-projects/micronaut-core/issues/882

Environment Information

Ubuntu 20.04.2 Chromium 92.0.4515.107

Example Application

No response

Version

2.5.9

awesomekosm avatar Jul 30 '21 21:07 awesomekosm

I have the same error, when a browser do the post request, always have a redirection to /log-in page

sveridovd avatar Jan 31 '25 16:01 sveridovd

Can you please confirm that this is still an issue in the latest version of Micronaut?

ojebari-ma avatar May 25 '25 19:05 ojebari-ma