Conflicting SSOwat with two instances on same domain

tituspijean · March 28, 2018, 2:15pm

My YunoHost configuration

Hardware: x64 vps + rpi 3
Internet access: datacenter + ethernet at home
YunoHost version:
yunohost: 2.7.9
yunohost-admin: 2.7.7
moulinette: 2.7.7
ssowat: 2.7.7

Description of my problem

I have two YunoHost instances, one on a VPS, another on a RPi at home. VPS’ main domain is something like main.domain, RPi’s rpi.main.domain. That may be a very specific use case, I just did not want to bother paying for another domain.

If I login first on main.domain, then any attempt to login on rpi.main.domain won’t work. SSOwat login page only refreshes, with no errors displayed, nor in logs. No problem the other way around.

I did notice that, during CLI post-installation on the RPi, main.domain was displayed after LDAP setup, instead of rpi.main.domain. But rpi.main.domain is correctly displayed as sole domain on the RPi.

Aleks · March 28, 2018, 2:24pm

Eh, I’m not sure about the last paragraph ?

But the thing with the SSO is probably due to the fact that the authentication cookie is valid for *.main.domain, which includes rpi.main.domain … So then the SSO rpi.main.domain doesn’t know what to do with the cookie from main.domain because it didnt emit it I guess… Really not sure how to solve / work around this, except maybe use private browsing when connecting to rpi.main.domain

tituspijean · March 28, 2018, 2:31pm

I forgot to specufy that, indeed, private browsing circumvents the issue. So OK, I have to isolate the cookies.

May it be possible to generate the cookie for each registered subdomains, instead of *.main.domain ?

On the last issue, I have no log for the postinstall unfortunately.

Aleks · March 28, 2018, 2:37pm

Well I’m really not familiar with those topics, but I don’t think that’s easy. When you go to a website and authenticate or get a cookie, your browser will treat it such that it’s expected to be valid / relevant for any subdomain of that domain … And because this shouldn’t happen for some domain (say, you wouldn’t be happy if the owners of freeboxhd.com would be able to craft cookies that are valid even for johndoe.freeboxhd.com, because this has security implication), people created a “public suffix list” such that for specific domain, this does not happen (in the sense that browsers like firefox know this list and therefore change the behavior of cookies for these).

In that sense, I don’t think that’s related to YunoHost directly. Except that ~maybe~ the SSO could be tweaked to ignore cookies from main.domain if the cookie is expected to come from rpi.main.domain … But I really don’t know how that works in details

tituspijean · March 28, 2018, 9:19pm

Thanks for your insight!

tituspijean · March 29, 2018, 7:04pm

For anyone encountering the same “issue”, and not wanting to rely on private browsing, I have just discovered this firefox extension. You only have to put the conflicting domains on different profiles, and you are good to go.

chateau · April 2, 2019, 9:44am

For cross-referencing, I think this issue is also described here.

QuestGiver · May 22, 2020, 7:21pm

Hi,

I also face the same issue:

I used the domain yunohost.domain.tld as my main domain
I used the domain.tld with my yunohost server
When I connect on a app of domain.tld, the SSO gives me cookie for both domains (domain.tld and yunohost.domain.tld).
But when I disconnect, only the yunohost.domain.tld cookies are removed.
And I could not reconnect the yunohost portal.