-
Notifications
You must be signed in to change notification settings - Fork 40
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Sign redirect requests for CAS #5452
Conversation
We were allowing a cookie, which can be user defined, to redirect users after CAS authentication. This could potentially be tampered with or set by a bad actor. By signing these cookies and validating them we remove this possibility and ensure that whatever is supplied in the cookie was created by us.
This wasn't doing anything as the frontend catches the unauthenticated response and sends the user to the login page. When no account exists there isn't any of the application a user can actually visit.
There is no need to do this ourselves and it's weird and hokey anyway.
PR deployed to docker for all containers, you can access with the tag |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Are there any other places where this cookie is used that would need updating like this?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I couldn't find any, and it's in that constant so it should have been easy to surface. It's internal entirely to this script and just a way to reliably move data through the CAS redirect process without storing anything on the machine.
Suspect IssuesThis pull request was deployed and Sentry observed the following issues:
Did you find this useful? React with a 👍 or 👎 |
We were allowing a cookie, which can be user defined, to redirect users after CAS authentication. This could potentially be tampered with or set by a bad actor.
By signing these cookies and validating them we remove this possibility and ensure that whatever is supplied in the cookie was created by us.