You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Describe the bug
SSO Proxy can send a blank cookie header which is then used as part of the request signature which can be confusing to implement for upstream signature verifiers.
This bug is a result of the way sso removes the session cookie when it was the only cookie. In this case, it stores an empty string as a single item in a string slice. This empty string is then used as part of the signature. The specification is unclear what to do when empty values are encountered.
Expected behavior
Do not proxy empty cookie headers and prevent from being used as part of the signature
The signer should then specify and ignore empty strings
The text was updated successfully, but these errors were encountered:
Describe the bug
SSO Proxy can send a blank cookie header which is then used as part of the request signature which can be confusing to implement for upstream signature verifiers.
This bug is a result of the way sso removes the session cookie when it was the only cookie. In this case, it stores an empty string as a single item in a string slice. This empty string is then used as part of the signature. The specification is unclear what to do when empty values are encountered.
Expected behavior
The text was updated successfully, but these errors were encountered: