SP cookie bloat

Pascal Rigaux pascal.rigaux at univ-paris1.fr
Mon Oct 24 09:13:05 UTC 2022 

Hi,

As far as I understand, the "_opensaml_req_ssxxx" cookie:
- has been introduced in shibboleth SP 3.1.0 for CSRF protection ( https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2065335693/ReleaseNotes#CSRF-Protection )
- the protection seems disabled by default ( https://shibboleth.atlassian.net/wiki/spaces/SP3/pages/2096693787/CSRF )


With the cookie, I get:

 > 2022-10-24 11:07:02 DEBUG OpenSAML.MessageDecoder.SAML2 [7] [xxx]: recovered request/response correlation value (_9e3288dxxxxx)

If I block the "_opensaml_req_ssxxx" cookie on the rev proxy, I get:

 > 2022-10-24 10:58:42 DEBUG OpenSAML.MessageDecoder.SAML2 [8] [xxx]: no request/response correlation cookie found

but it does not change anything since "correlation checking is disabled".



Details:
- the feature comes from CPPOST-112 ( https://shibboleth.atlassian.net/browse/CPPOST-112 )
- the commit introducing the cookie : https://git.shibboleth.net/view/?p=cpp-opensaml.git;a=commitdiff;h=eae759ea5c32951115f4248f4bc6040d7e28635f





On 22/10/2022 04:56, Paul Henson wrote:
> I'm investigating an issue where sometimes clients trying to access a
> shibboleth SP protected service receive a 400 Bad Request error because
> the size of the request headers is too big. When this occurs, there are
> an excessive number of _opensaml_req_ss cookies causing the problem.
> 
> For a single login, the initial connection resulting in a redirect to
> the idp sets a cookie:
> 
> GET https://sp-dev.pbhware.com/shibtest/ HTTP/1.1
> HTTP/1.1 302 Found
> Set-Cookie:
> _opensaml_req_ss%3Amem%3A42e08ffb8f67278dac7258fd5f4579e45a4075b7fdf24437c1653ec0067e2d87=_0d0cc6902f7c55fe70fae0eb7ac5b503;
> path=/; secure; HttpOnly; SameSite=None
> 
> and once the authentication is complete and processed by the SP, the
> cookie is cleared:
> 
> POST https://sp-dev.pbhware.com/Shibboleth.sso/SAML2/POST HTTP/1.1
> Cookie:
> _opensaml_req_ss%3Amem%3A42e08ffb8f67278dac7258fd5f4579e45a4075b7fdf24437c1653ec0067e2d87=_0d0cc6902f7c55fe70fae0eb7ac5b503
 >
 > [...]

More information about the users mailing list