Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

breakfix: cookie/token is invalidated before it expires #348

Open
vnxme opened this issue Jun 21, 2024 · 1 comment
Open

breakfix: cookie/token is invalidated before it expires #348

vnxme opened this issue Jun 21, 2024 · 1 comment
Assignees
@greenpau
Labels
breakfix need triage

Comments

@vnxme
Copy link

vnxme commented Jun 21, 2024
edited
Loading

Describe the issue

I have Caddy (a Docker container) handling multiple subdomains and use caddy-security to protect a number of them. E.g. when I want to view test.domain.com, I get redirected to auth.domain.com, I put my credentials there, and finally I get redirected back to test.domain.com with a valid access_token cookie set.

After some time has passed, e.g. 15 minutes or more, I can still view test.domain.com and other subdomains, unless the cookie/token gets expired (I use 24 hours period as both cookie and token lifetime). However, if I navigate to auth.domain.com/portal, or just auth.domain.com, my cookie is invalidated, and I get redirected to auth.domain.com/login.

What’s also important, it doesn’t happen every time. And I can’t track what it may be caused by. But when it does happen, it’s quite annoying to type credentials every time it asks, even though I have already logged in a few minutes/hours before.

Configuration

Paste full Caddyfile below:

{
	order authenticate before respond
	order authorize before basicauth
	security {
	    local identity store users {
	        realm local
	        path /data/caddy/users.json
	    }
	    authorization policy authpolicy {
	        allow roles authp/admin authp/user
	        crypto key verify [secret_value]
	        set auth url https://auth.domain.com/
	        validate source address
	    }
	    authentication portal authportal {
	        cookie domain domain.com
	        cookie lifetime 86400
	        crypto default token lifetime 86400
	        crypto key sign-verify [secret_value]
	        enable identity store users
	        enable source ip tracking
	    }
}
domain.com, *.domain.com {
	import [tls_encoding_headers_etc]
	@auth host auth.domain.com
	handle @auth {
	        authenticate with authportal
	}
	handle {
		authorize with authpolicy
		import [reverse_proxy_etc]
	}
}

Version Information

Provide output of caddy list-modules --versions | grep -E "(auth|security)" below:

caddy v2.7.6
security v1.1.23

Expected behavior

I don't expect a cookie/token to be invalidated until it expires or unless the user logs out.

Additional context

Can't say exactly how many minutes should pass before caddy-security demonstrates such behaviour. It seems to occur both if I restart Caddy within this time frame or just leave it running.
@GerardPolloRebozado
Copy link

I have same issue

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@greenpau greenpau

Labels
breakfix need triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
3 participants
@greenpau @GerardPolloRebozado @vnxme