#6994 Koschei login not working without Kerberos ticket
Closed: Fixed 2 years ago Opened 2 years ago by mizdebsk.

When I try to log into production Koschei web app and I don't have Kerberos ticket active, I get infinite redirect between id.fedoraproject.org and Koschei frontend. With Kerberos ticket login works fine on first attempt. Staging works fine with or without ticket.

Steps to reproduce:
1. Make sure you don't have Kerberos ticket (kdestroy -A) and browse to https://apps.fedoraproject.org/koschei/login to try to login. Firefox shows "The page isn’t redirecting properly" page.
2. Obtain Kerberos ticket (kinit -k mizdebsk@FEDORAPROJECT.ORG) and try to login again. This attempt succeeds.

Originally reported on IRC by @raphgro:

<raphgro> hi, I try to connect to koschei. my firefox plays ping-pong between apps and id.fedoraproject.org till it reports a redirection error

This is caused by Koschei using mod_auth_openidc with memory storage.
This means that everytime you hit the other web server, the state is reset.

You'll want to look at https://github.com/zmartzone/mod_auth_openidc/blob/master/auth_openidc.conf#L484 and on and line 465 to set session across servers.

Metadata Update from @mizdebsk:
- Issue assigned to mizdebsk

2 years ago

It should be fixed now - thanks @puiterwijk for the pointer. I've switched to keeping login session data in cookies rather than server-side, which is less secure, but we are keeping application sessions in cookies anyway.


Metadata Update from @mizdebsk:
- Issue close_status updated to: Fixed
- Issue status updated to: Closed (was: Open)

2 years ago

Thanks. Login to Koschei works again.

Login to comment on this ticket.