shreemaan-abhishek opened a new pull request, #13671:
URL: https://github.com/apache/apisix/pull/13671

   ### Description
   
   When two `openid-connect` routes on the same host share a `session.secret`, 
they both fall back to 
[lua-resty-session](https://github.com/bungle/lua-resty-session)'s default 
cookie name `"session"`. An unauthenticated visit to route A stores the 
pre-login `state`/`nonce` in that cookie; a subsequent unauthenticated visit to 
route B (carrying the same cookie) overwrites it. When route A's callback then 
arrives, the state no longer matches and `lua-resty-openidc` returns:
   
   ```
   state from argument: <A> does not match state restored from session: <B>
   ```
   
   surfacing as an HTTP 500 to the user. This is purely a cookie-naming 
collision, not an auth bypass.
   
   This PR defaults an unset `session.cookie_name` to a stable per-route name 
derived from the route id (falling back to `client_id`), so sibling routes each 
get their own session cookie and no longer clobber each other's pre-login 
state. An operator-set `session.cookie_name` is still honored, so deployments 
that intentionally share one session cookie across routes are unaffected.
   
   Note on upgrade: because the default cookie name changes, any in-flight 
sessions using the old default `"session"` cookie are not recognized after 
upgrade and users re-authenticate once. Config API and behavior contracts are 
otherwise unchanged.
   
   #### Which issue(s) this PR fixes:
   <!-- filed privately -->
   
   ### Checklist
   
   - [x] I have explained the need for this PR and the problem it solves
   - [x] I have explained the changes or the new features added to this PR
   - [x] I have added tests corresponding to this change
   - [x] I have updated the documentation to reflect this change
   - [x] I have verified that this change is backward compatible (config and 
behavior contracts preserved; see the one-time re-login note above)


-- 
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.

To unsubscribe, e-mail: [email protected]

For queries about this service, please contact Infrastructure at:
[email protected]

Reply via email to