Keep Server Online
If you find the Apache Lounge, the downloads and overall help useful, please express your satisfaction with a donation.
or
A donation makes a contribution towards the costs, the time and effort that's going in this site and building.
Thank You! Steffen
Your donations will help to keep this site alive and well, and continuing building binaries. Apache Lounge is not sponsored.
| |
|
 Topic: Mod auth openidc state cookies |
|
| Author |
|
ApacheUser1212123
Joined: 22 Feb 2021
Posts: 7
|
 Posted: Mon 02 Aug '21 12:10 Post subject: Mod auth openidc state cookies |
 |
|
Hey,
I have apache configured to OIDC authentication, which works fine. But there are many mod_auth_openidc_state_... cookies. I have tried to OIDCStateTimeout to few seconds, but this doesn't seem to help to clean up old state cookies.
I use quiet old mod_auth_openidc module (version 1.8.8 ). I saw there is option to limit number of these cookies in newer versions, but it is problematic for me to uprgrade this version.
Do you know how to make apache clean those cookies after given time?
Thanks |
|
| Back to top |
|
tangent
Moderator
Joined: 16 Aug 2020
Posts: 348
Location: UK
|
| Posted: Thu 05 Aug '21 21:14 Post subject: |
|
|
Searching the net, it looks like your OIDC problem is well known, with there being a number of reasons why old state cookies can pile up. These pages look directly relevant and informative:
https://github.com/zmartzone/mod_auth_openidc/wiki/Cookies
https://github.com/zmartzone/mod_auth_openidc/issues/331
The issue seems to have been addressed in more recent releases of OIDC (2.3.8), with the addition of OIDCStateMaxNumberOfCookies to limit the number of state cookies, but you're saying you can't update the mod_auth_openidc module at this time. Shame.
It is possible to set/edit/delete cookies with Apache using header response directives, but the cookie request header can be a complex animal to parse. The usual strategy is to use mod_rewrite to identify the presence of a certain cookie in the request headers, along with various other request conditions, and set an environment variable to denote that finding. Then use that variable to control some response (Set-Cookie) header, e.g. to delete a cookie,
| Code: | | Header always set Set-Cookie "COOKIE_NAME=''; Max-Age=-1" env=DeleteCookie |
But how is Apache supposed to know which mod_auth_openidc_state_ cookies are no longer valid and can be deleted? That detail is surely known only by the mod_auth_oidc module.
One possible option might be to edit the initial Set-Cookie response from mod_auth_openidc before the state cookie is sent back to the client, to explicitly set the Max-Age of that cookie. That way the client browser will do the cookie clean up for you. But surely this will mess up some aspect of user session timeouts?
My recommendation would be to upgrade the OIDC module to resolve this problem. |
|
| Back to top |
|
|
|
|
|
|
