pac4j does not create cookie before login starts

Question

So I realized that when i delete the JSESSIONID cookies from the browser and attempt to initiate an authentication, it fails because the jsession id is not created before redirecting to the IDP. It seems like a session is created but the callback does not use the same session but creates another one so pac4j loses state.

This happens only in this scenario. If the JSESSIONID already exists (even if not authenticated), the login and callback are able to maintain the same session state.

How do I fix this? It looks like the csrf token does not behave like this...just the jsessionid. This is not trivial for me since it means that for new or cleared browsers, my authentication will always fail initially.

This happens both for pac4j-saml and pac4j-oidc. I suppose this may have nothing to do with pac4j per se....but not sure

Answer 1

So the way I fixed this was to check if the JSESSIONID cookie present in the webcontext and set it if not present. Did this before the login process was initiated.

Extended DefaultSecurityLogic and overrode startAuthentication() method

HttpSession httpSession = ((ServletJaxRsContext) context).getRequest().getSession(true);
var existingCookies = context.getRequestCookies();

// The context path here needs to be '/'. otherwise
HttpCookie httpCookie = sessionHandler.getSessionCookie(httpSession, "/", false);
if(existingCookies.stream().anyMatch(cookie -> cookie.getName().equals(httpCookie.getName()))){
  return;
};

var cookie = new Cookie(httpCookie.getName(), httpCookie.getValue());
cookie.setPath(httpCookie.getPath());
...
context.addResponseCookie(cookie);