Skip to content

Handle auth schemes in cookie names #25279

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
merged 2 commits into from
Aug 28, 2020
Merged

Handle auth schemes in cookie names #25279

merged 2 commits into from
Aug 28, 2020

Conversation

@Tratcher
Copy link
Member

@Tratcher Tratcher commented Aug 26, 2020
edited
Loading

Description

#23579 removed cookie name encoding due to security concerns outlined in #23578. The result is that people creating cookies need to provide valid names. #25266 identified a scenario where the ASP.NET authentication libraries generate cookie names using a secondary value without ensuring it makes a valid cookie name. The two affected scenarios are remote authentication and cookie authentication.

The downlevel patches (#24264) used a more conservative mitigation that does not introduce the same regression. We opted not to use the same fix in 5.0 because it has known limitations.

Fix

In the remote authentication scenario the authentication scheme name can be removed from the correlation cookie, it's not providing any value there.

In the cookie auth scenario the authentication scheme is used to distinguish between cookie instances. We'll encode only the authentication scheme in the cookie name to ensure it makes a valid cookie name. Limiting the encoding to the auth scheme name avoids the concerns in the original security issue.

Customer Impact

Regression?

Yes, in preview 8 as a side effect of a security change #23579

Risk

Low

cc: @martincostello

@Tratcher Tratcher added the area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer label Aug 26, 2020
@Tratcher Tratcher added this to the 5.0.0-rc1 milestone Aug 26, 2020
@Tratcher Tratcher requested review from HaoK and Pilchie August 26, 2020 18:48
@Tratcher Tratcher self-assigned this Aug 26, 2020
HaoK
HaoK reviewed Aug 26, 2020
View reviewed changes
@Pilchie Pilchie added the Servicing-approved Shiproom has approved the issue label Aug 26, 2020
@Pilchie
Copy link
Member

Pilchie commented Aug 26, 2020

Approved for RC1.

@Tratcher
Copy link
Member Author

Tratcher commented Aug 27, 2020

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Aug 27, 2020

Azure Pipelines successfully started running 2 pipeline(s).

@Tratcher
Copy link
Member Author

Tratcher commented Aug 28, 2020

/azp run

@azure-pipelines
Copy link

azure-pipelines bot commented Aug 28, 2020

Azure Pipelines successfully started running 2 pipeline(s).

@Tratcher
Copy link
Member Author

Tratcher commented Aug 28, 2020

Merge please.

@Pilchie Pilchie merged commit 748b368 into dotnet:release/5.0 Aug 28, 2020
@Tratcher Tratcher deleted the tratcher/authcookies branch August 28, 2020 16:02
akunzai added a commit to akunzai/GSS.Authentication.CAS that referenced this pull request Dec 22, 2020
@akunzai
Auth scheme was removed from cookie name since ASP.NET Core 5.0
973026c 
- dotnet/aspnetcore#25279
akunzai added a commit to akunzai/GSS.Authentication.CAS that referenced this pull request Dec 22, 2020
@akunzai
Auth scheme was removed from cookie names since ASP.NET Core 5.0
3d0c2ab 
- dotnet/aspnetcore#25279
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@HaoK HaoK HaoK approved these changes

@Pilchie Pilchie Awaiting requested review from Pilchie

Assignees

@Tratcher Tratcher

Labels

area-auth Includes: Authn, Authz, OAuth, OIDC, Bearer Servicing-approved Shiproom has approved the issue

Projects

None yet

Milestone

5.0.0-rc1

Development

Successfully merging this pull request may close these issues.

3 participants

@Tratcher @Pilchie @HaoK