Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Double Cookie based Authentication leads to wrong cookie serialisation #2358

Open
AMorgaut opened this issue Dec 1, 2021 · 0 comments
Open

Double Cookie based Authentication leads to wrong cookie serialisation #2358

AMorgaut opened this issue Dec 1, 2021 · 0 comments

Comments

@AMorgaut
Copy link

AMorgaut commented Dec 1, 2021
edited

Q&A

  • OS: Windows
  • Environment: Chrome 96
  • Method of installation: online swagger editor
  • Swagger-Client version: 4.1.0
  • Swagger/OpenAPI version: OpenAPI 3.0.3

Content & configuration

Swagger/OpenAPI definition:

openapi: 3.0.3
info:
  title: example
  version: 0.1.0
paths:
  /sample:
    post:
      security:
        - Session_ID: []
        - Correlation_ID: []
      responses:
        200:
          description: OK
          content:
            application/json:
              schema:
                type: boolean
components:
  securitySchemes:
    Session_ID:
      type: apiKey
      in: cookie
      name: ssid
    Correlation_ID:
      type: apiKey
      in: cookie
      name: correlation_id

Describe the bug you're encountering

The API I'm documenting is session based
Sessions that can be anonymous or not

Those sessions rely on :

  • a session id in a cookie
  • a correlation id in another cookie

By defining 2 apiKey security schemes and listing them both for the target route
When I click execute, the generated curl request shows an invalid Cookie header

To reproduce...

Steps to reproduce the behavior:

  1. Click on Authorize
  2. set a value for the session id cookie (ex: foo)
  3. set a value for the correlation id cookie (ex: bar)
  4. close the authorization popup
  5. tryout & execute the /sample request

The generated Cookie header is
Cookie: ssid=foo&correlation_id=bar

Expected behavior

The & is an invalid cookie separator.
The cookie separator should be ;
Cookie: ssid=foo; correlation_id=bar

Screenshots

image

Additional context or thoughts

Several thougths:

  1. the session id and the correlation id are meant to be returned by a previous request... wondering if the securityShemes are the best way to handle such use case vs using operationId and links. But targeting two seperate response cookies is not obvious. the runtimeExpression spec doesn't support cookie sources and won't help to distinguish 2 Set-Cookie headers based on the cookie names
  2. one of the reasons why there is a correlation id is because the session id is regularly updated (based on the session id renewal timeout recommended by OWasp). The authorize form will keep the initial session id value. It would be nice to be able to define that cookie as automatically renewable so it get changed when a response gives that cookie a new value. (but that should need an update to the open api spec)
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@AMorgaut