Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Session cookie lifespan #3208

Closed
6 tasks done
harnash opened this issue Apr 3, 2023 · 1 comment
Closed
6 tasks done

Session cookie lifespan #3208

harnash opened this issue Apr 3, 2023 · 1 comment
Labels
bug Something is not working.

Comments

@harnash
Copy link
Contributor

harnash commented Apr 3, 2023

Preflight checklist

Describe the bug

I'm not 100% sure but looking at the code I might be right.
Kratos has a configurable session lifespan via session.lifespan configuration option. Default value is 24hrs. When setting this option to something longer than 30 days may cause session to be invalidated prematurely.

We have this settings set to 180 days however we have reports of users being logged out prematurely.

Looking at the code we have found that session lifespan is properly set in:

  • cookie expiration date in a browser
  • session expiration date in the sessions table in a database

Kratos uses https://github.com/ory/sessions which is a fork of https://github.com/gorilla/sessions to store and encode/decode session cookies. This library uses internally stored (in a encoded cookie) timestamp to verify cookie validity. Kratos sets cookie TTL here https://github.com/ory/kratos/blob/master/driver/registry_default.go#L512 however codecs that https://github.com/ory/sessions still have default value set which is set here https://github.com/ory/sessions/blob/master/store.go#L54. I believe that whenever cookie is being decoded and internal timestamp is 30 days old or older it will not be decoded properly and it will cause user to be logged out.

Reproducing the bug

  1. Set session.lifespan to a value greater than 30 days
  2. Issue a cookie that is valid and has timestamp set to a date 30 days than current time (either modify server time or generate cookie with manually set timestamp)
  3. Check if /sessions/whoami recognizes a given cookie (it should return http status 401)

Relevant log output

No response

Relevant configuration

session:
    lifespan: 4320h

Version

v0.10.0

On which operating system are you observing this issue?

Linux

In which environment are you deploying?

Kubernetes

Additional Context

I've replicated this issue by synthetically generating cookies with tempered timestamps and I can concur that this is actually happening.
@harnash harnash added the bug Something is not working. label Apr 3, 2023
@harnash harnash mentioned this issue Apr 3, 2023
Merged
7 tasks
@harnash
Copy link
Contributor Author

harnash commented Apr 3, 2023

Potential fix: #3209

@aeneasr aeneasr closed this as completed in 1180c05 Apr 4, 2023
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
bug Something is not working.
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@harnash