Replies: 1 comment
-
|
you probably need to upgrade to >= 2.4.7 as the release notes suggest; also see: #542 |
Beta Was this translation helpful? Give feedback.
0 replies
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Uh oh!
There was an error while loading. Please reload this page.
-
Hi,
We are using mod_auth_openidc together with keycloak.
During Penetration test we found a problem connecting to session management.
If you save the session cookie from the browser you can reuse it to reach any protected resource after logout.
What we see:
After logout the cookie is deleted from the browser
Keyclok session is invalidated - apache cannot refresh access token
log entries during logout:
Sun Jul 04 16:55:23.724576 2021] [auth_openidc:debug] [pid 10190] src/mod_auth_openidc.c(4000): [client 3.254.124.206:34002] oidc_check_user_id: incoming req
uest: "/redirect_uri?logout=https://10.97.226.139/landing", ap_is_initial_req(r)=1
[Sun Jul 04 16:55:23.724592 2021] [auth_openidc:debug] [pid 10190] src/util.c(2316): [client 3.254.124.206:34002] oidc_util_hdr_in_get: Host=10.97.226.139
[Sun Jul 04 16:55:23.724599 2021] [auth_openidc:debug] [pid 10190] src/util.c(2316): [client 3.254.124.206:34002] oidc_util_hdr_in_get: Host=10.97.226.139
[Sun Jul 04 16:55:23.724607 2021] [auth_openidc:debug] [pid 10190] src/util.c(537): [client 3.254.124.206:34002] oidc_get_redirect_uri: determined absolute re
direct uri: https://10.97.226.139/redirect_uri
[Sun Jul 04 16:55:23.724615 2021] [auth_openidc:debug] [pid 10190] src/util.c(2316): [client 3.254.124.206:34002] oidc_util_hdr_in_get: Cookie=mod_auth_openid
c_state_NEUUgJhfD6WPCBznowBbQgBkiaM=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..-L3vuTMctsjcR9HW.SEaV-rbLTx_3AsAnolDXeH9_0UPkhZSJnuqS21wYC6O4O0Aa2awnu_FdgkMA
OiL5EyOR7Anvy168B9dvx11Uldh2q0nkDbSQKd_naELiUEaflUt-AsTO5BnFLo_kq5UXII8UBGJT51s1DBSBnJchE1Zr1EVpPz3icTB9C3c65BrVNAexmWeNYs_XbB7SjVwPLaZjhD45ovTGaG7zExEDHUcypR
h7-TsUap1Z6BFG8mJvr5YHdnLB8PLBMZVJSNX2cphmznsd4VKrHdrMLCVbMN2OYBaA5eN5aWgnRLvMkKm0g1c-XvCPbYQ13Q0Q7WdirKzBhPDachGf1R1p-Rd-CDKTMNabOoayacy60zs4pxjZJYRvxlV3i7oq
k1IAXqmR7g.u9NRxxEO9rFyt73-j_UlPA; mod_auth_openidc_session=f8de4c07-02ce-4e15-be47-d97b4d1a4e52
[Sun Jul 04 16:55:23.724647 2021] [auth_openidc:debug] [pid 10190] src/util.c(1055): [client 3.254.124.206:34002] oidc_util_get_cookie: returning "mod_auth_op
enidc_session" = "f8de4c07-02ce-4e15-be47-d97b4d1a4e52"
[Sun Jul 04 16:55:23.724655 2021] [auth_openidc:debug] [pid 10190] src/cache/common.c(581): [client 3.254.124.206:34002] oidc_cache_get: enter: f8de4c07-02ce-
4e15-be47-d97b4d1a4e52 (section=s, decrypt=1, type=file)
[Sun Jul 04 16:55:23.724828 2021] [auth_openidc:debug] [pid 10190] src/cache/common.c(615): [client 3.254.124.206:34002] oidc_cache_get: cache hit: return 427
8 bytes from file cache backend for encrypted key FLRUUfIbrRZZ0YdqZVx7Pg4LW2KwcK1ES0o_q1eCQSM
...
[Sun Jul 04 16:55:23.921928 2021] [auth_openidc:debug] [pid 10190] src/cache/common.c(640): [client 3.254.124.206:34002] oidc_cache_set: enter: f:690433b7-eb0a-4343-9b5b-8f49bdea5303:service@https://10.97.226.139/auth/realms/aws (section=d, len=0, encrypt=1, ttl(s)=-1625410523, type=file)
[Sun Jul 04 16:55:23.921995 2021] [auth_openidc:debug] [pid 10190] src/cache/file.c(287): [client 3.254.124.206:34002] oidc_cache_file_clean: last cleanup call was less than 60 seconds ago (next one as early as in 35 secs)
[Sun Jul 04 16:55:23.922105 2021] [auth_openidc:debug] [pid 10190] src/cache/common.c(668): [client 3.254.124.206:34002] oidc_cache_set: successfully stored 0 bytes in file cache backend for encrypted key fGBrO13_p-5wNYxLK3-iMnuKGwB_G2gug2SOLU12tEI
[Sun Jul 04 16:55:23.922137 2021] [auth_openidc:debug] [pid 10190] src/util.c(945): [client 3.254.124.206:34002] oidc_util_set_cookie_append_value: no cookie append environment variable OIDC_SET_COOKIE_APPEND found
[Sun Jul 04 16:55:23.922146 2021] [auth_openidc:debug] [pid 10190] src/util.c(2394): [client 3.254.124.206:34002] oidc_util_hdr_err_out_add: Set-Cookie: mod_auth_openidc_session=; Path=/; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure; HttpOnly; SameSite=None
[Sun Jul 04 16:55:23.922154 2021] [auth_openidc:debug] [pid 10190] src/cache/common.c(640): [client 3.254.124.206:34002] oidc_cache_set: enter: (section=s, len=0, encrypt=1, ttl(s)=-1625410523, type=file)
[Sun Jul 04 16:55:23.922183 2021] [auth_openidc:debug] [pid 10190] src/cache/file.c(287): [client 3.254.124.206:34002] oidc_cache_file_clean: last cleanup call was less than 60 seconds ago (next one as early as in 35 secs)
[Sun Jul 04 16:55:23.922238 2021] [auth_openidc:error] [pid 10190] [client 3.254.124.206:34002] oidc_cache_file_set: could not delete cache file "/tmp/mod-auth-openidc-s-BSAoOMA7Ei_5o6xKTfoSEc_nTIlqbBEpNXfaADAbZtI" (No such file or directory)
[Sun Jul 04 16:55:23.922250 2021] [auth_openidc:debug] [pid 10190] src/cache/common.c(668): [client 3.254.124.206:34002] oidc_cache_set: successfully stored 0 bytes in file cache backend for encrypted key BSAoOMA7Ei_5o6xKTfoSEc_nTIlqbBEpNXfaADAbZtI
after logout reaching protected resource:
[Sun Jul 04 16:55:33.536065 2021] [auth_openidc:debug] [pid 30584] src/util.c(2316): [client 3.254.124.206:26642] oidc_util_hdr_in_get: Cookie=mod_auth_openidc_state_NEUUgJhfD6WPCBznowBbQgBkiaM=eyJhbGciOiAiZGlyIiwgImVuYyI6ICJBMjU2R0NNIn0..-L3vuTMctsjcR9HW.SEaV-rbLTx_3AsAnolDXeH9_0UPkhZSJnuqS21wYC6O4O0Aa2awnu_FdgkMAOiL5EyOR7Anvy168B9dvx11Uldh2q0nkDbSQKd_naELiUEaflUt-AsTO5BnFLo_kq5UXII8UBGJT51s1DBSBnJchE1Zr1EVpPz3icTB9C3c65BrVNAexmWeNYs_XbB7SjVwPLaZjhD45ovTGaG7zExEDHUcypRh7-TsUap1Z6BFG8mJvr5YHdnLB8PLBMZVJSNX2cphmznsd4VKrHdrMLCVbMN2OYBaA5eN5aWgnRLvMkKm0g1c-XvCPbYQ13Q0Q7WdirKzBhPDachGf1R1p-Rd-CDKTMNabOoayacy60zs4pxjZJYRvxlV3i7oqk1IAXqmR7g.u9NRxxEO9rFyt73-j_UlPA; mod_auth_openidc_session=f8de4c07-02ce-4e15-be47-d97b4d1a4e52, referer: https://10.97.226.139/fav
[Sun Jul 04 16:55:33.536080 2021] [auth_openidc:debug] [pid 30584] src/util.c(1055): [client 3.254.124.206:26642] oidc_util_get_cookie: returning "mod_auth_openidc_session" = "f8de4c07-02ce-4e15-be47-d97b4d1a4e52", referer: https://10.97.226.139/fav
[Sun Jul 04 16:55:33.536089 2021] [auth_openidc:debug] [pid 30584] src/cache/common.c(581): [client 3.254.124.206:26642] oidc_cache_get: enter: f8de4c07-02ce-4e15-be47-d97b4d1a4e52 (section=s, decrypt=1, type=file), referer: https://10.97.226.139/fav
[Sun Jul 04 16:55:33.536220 2021] [auth_openidc:debug] [pid 30584] src/cache/common.c(615): [client 3.254.124.206:26642] oidc_cache_get: cache hit: return 4278 bytes from file cache backend for encrypted key FLRUUfIbrRZZ0YdqZVx7Pg4LW2KwcK1ES0o_q1eCQSM, referer: https://10.97.226.139/fav
Can you please check it!
Thanks in advance!
Beta Was this translation helpful? Give feedback.
All reactions