Reputation: 2916
Using subdomain cookies with mod_auth_openidc
So I have a wildcard host on an Apache Server using mod_auth_openidc The relevant bits of my Apache config are:
<VirtualHost *:443>
ServerAlias *.sub.mydomain.com
OIDCRedirectURI https://sub.mydomain.com/oauth2callback
OIDCCookieDomain sub.mydomain.com
Is there anything that would prevent a user from authenticating with foo.sub.mydomain.com, then also being authenticated with bar.sub.mydomain.com without having to log in again?
Upvotes: 2
Views: 2079
Answers (1)
Reputation: 54118
No, that works since the session cookie is set on sub.mydomain.com and as such received on foo.sub.mydomain.com as well as bar.sub.mydomain.com.
What you describe in the comment is not really an attack since it is the same user in the same browser. Sort of the equivalent of what is mentioned above, except handled manually in the browser... It would be a problem is you could somehow steal a cookie from another user but then again that would be an attack not specific to mod_auth_openidc and is impossible assuming everything runs over https and there's no malware in the browser.
If you really need separation you can split out in to virtual hosts and run a different mod_auth_openidc configuration in each host. Then the Apache cookies won't be reusable across the two hosts. Of course both hosts would still redirect to the OP for authentication and an SSO session+cookie may exist there that binds the two sessions together implicitly.
Upvotes: 1
Related Questions
- Domain set cookie for subdomain
- Cookie for subdomain
- Shared Forms Auth cookie not working on subdomain
- Subdomain and cookies
- Can't make cookies work for subdomain
- Set cookie from main domain for subdomain
- cross subdomain login with cookies
- Cross subdomain cookie handling for session?
- setting cross-subdomain cookies accessible to a sub-subdomain?
- Session cookies working under subdomain