Opened 5 weeks ago

Last modified 3 days ago

#2266 new defect

QUIC: cookies not transferred correctly on redirect

Reported by: mkg20001@… Owned by:
Priority: critical Milestone:
Component: nginx-core Version:
Keywords: quic Cc: mkg20001@…
uname -a: Linux nix-test 5.10.52 #1-NixOS SMP Tue Jul 20 14:05:59 UTC 2021 x86_64 GNU/Linux
nginx -V: nginx version: nginx/1.21.3
built by gcc 10.3.0 (GCC)
built with OpenSSL 1.1.1 (compatible; BoringSSL) (running with BoringSSL)
TLS SNI support enabled
configure arguments: --prefix=/nix/store/7mphsk4i0dg1k8s76v0pjvidhl646z6j-nginx-quic --with-http_ssl_module --with-http_v2_module --with-http_realip_module --with-http_addition_module --with-http_xslt_module --with-http_sub_module --with-http_dav_module --with-http_flv_module --with-http_mp4_module --with-http_gunzip_module --with-http_gzip_static_module --with-http_auth_request_module --with-http_random_index_module --with-http_secure_link_module --with-http_degradation_module --with-http_stub_status_module --with-threads --with-pcre-jit --http-log-path=/var/log/nginx/access.log --error-log-path=/var/log/nginx/error.log --pid-path=/var/log/nginx/nginx.pid --http-client-body-temp-path=/var/cache/nginx/client_body --http-proxy-temp-path=/var/cache/nginx/proxy --http-fastcgi-temp-path=/var/cache/nginx/fastcgi --http-uwsgi-temp-path=/var/cache/nginx/uwsgi --http-scgi-temp-path=/var/cache/nginx/scgi --with-stream --with-stream_realip_module --with-stream_ssl_module --with-stream_ssl_preread_module --with-http_image_filter_module --with-http_geoip_module --with-stream_geoip_module --with-file-aio --with-http_v3_module --with-http_quic_module --with-stream_quic_module --add-module=/nix/store/2ysp5ichpccf4lv1wp2qcwz0bmm840f1-rtmp --add-module=/nix/store/6pb7j6kymf3y4xs5blp3g8mwin2j22kk-dav --add-module=/nix/store/y39g23fn8ikzcd1iy3b1bclqwjk2qmxd-moreheaders

Description

Occurs with Chrome 93.0.4577.82

Cookies are not properly transferred when accessing a site, which redirects to an SSO portal and then redirects back. (SSO being h2-enabled, application being h3-enabled)

The session cookie of the application is shown to be sent by chrome to the application, but the application did not receive it or something else occurred

The problem was resolved by switching to the nginx mainline version, meaning it seems to be a fault in either NGINX's or Chrome's QUIC implementation.

(Application was GitLab, SSO was Keycloak in case someone wants to reproduce)

Attachments (2)

signin_redirect.har.gz (10.0 KB ) - added by mkg20001@… 5 weeks ago.
HAR of redirect loop
signinff_success.har.gz (20.9 KB ) - added by mkg20001@… 5 weeks ago.
HAR of login via firefox 92.0 (it works with firefox)

Download all attachments as: .zip

Change History (3)

by mkg20001@…, 5 weeks ago

Attachment: signin_redirect.har.gz added

HAR of redirect loop

by mkg20001@…, 5 weeks ago

Attachment: signinff_success.har.gz added

HAR of login via firefox 92.0 (it works with firefox)

comment:1 by DoM1niC@…, 2 weeks ago

I have the same problem any workaround ? Some Scripts don't work like e.g. Nextcloud / Rainloop

Note: See TracTickets for help on using tickets.