Open in app

Sign in

Write

Sign in

Infinite loop — The problem with OAuth, Cookie Authentication and Virtual Directory

Jonatan Machado
2 min readNov 28, 2018

--

Recently I had a problem with Cookie Authentication and this put the application into an infinite loop during the OAuth redirects flow.
I was using ASPNET Core 2.1 and hosted on IIS at this example.

There are some reasons to get this problem, for example, SameSite set as strict or if the Cookie Path has any word with a case-sensitive problem.

For the first reason, you can read more here and here.

For the second, I’ll show you more information.

If you don’t know about OAuth2 flow, I gonna detail it to you.
We have the app (http://app), the provider (http://provider) and they interact during the authentication phase as you can see below:

  1. Browser sends GET http://app
  2. 302 redirect to http://provider
  3. Browser sends GET http://provider
  4. 200 response with the login page
  5. User completes login
  6. Browser sends POST http://provider
  7. 302 redirect to http://app/signin-oauth?code=...
  8. Browser sends GET http://app/signin-oauth?code=...
  9. 302 redirect to http://app and creates an authentication cookie
  10. Browser sends GET http://app and it’s done.

The infinite loop happens on step 9 and 10.
Browser doesn’t send back to the server the authentication cookie created on step 9.
As the app isn’t able to confirm the authentication, the flow goes to step 2 until you close the browser.
It is common if you work with a virtual directory like http://domain/app

Let’s take a look at how the Cookie.Path is set when we entered on Gmail:

We got https://mail.google.com/mail/u/0

What if the second cookie been /Mail/u/0?
Well, we would have problems because of Cookie.Path be case sensitive.

Confuse?!

I’m not sure about it but I think it is related how the OS works with file names.
Unix-like is case sensitive while MS isn’t it.

So, if your server (Unix) receives a request to http://app/MyFile.txt it will find the file MyFile.txt exactly.

For MS servers it doesn’t matter.

Let’s clarify a little bit.

A cookie stored for
http://Domain.com

can be read using
http://domain.com

a cookie stored for

http://domain.com/SomePath

cannot be read using

http://domain.com/somepath

It would simply not be found.

You really need to pay attention to those names otherwise this was leading to all sorts of issues.

Oauth
Authentication
Single Sign On

--

--

Jonatan Machado

Written by Jonatan Machado

6 Followers

Help

Status

About

Careers

Press

Blog

Privacy

Terms

Text to speech

Teams