[
https://issues.apache.org/jira/browse/KNOX-3232?focusedWorklogId=996417&page=com.atlassian.jira.plugin.system.issuetabpanels:worklog-tabpanel#worklog-996417
]
ASF GitHub Bot logged work on KNOX-3232:
----------------------------------------
Author: ASF GitHub Bot
Created on: 16/Dec/25 10:05
Start Date: 16/Dec/25 10:05
Worklog Time Spent: 10m
Work Description: bonampak commented on PR #1132:
URL: https://github.com/apache/knox/pull/1132#issuecomment-3659745732
> So as I understand the culprit behind the "null" value is
`sb.append('=').append(value);` in SetCookieHeader, right? Wouldn't it be
better to fix that by appending an empty value? Also the SetCookieHeader class
was [introduced](https://github.com/apache/knox/pull/1042) because with java 8
the sameSite attribute was missing from `org.pac4j.core.context.Cookie`. Is
switching back an option?
We could switch back as now setSameSitePolicy() is available on
org.pac4j.core.context.Cookie.
It would still generate name=null; if the cookie value is null.
```java
Cookie cookie;
if (value == null) {
cookie = new Cookie(PAC4J_SESSION_PREFIX + key, null);
}
...
if(sessionStoreConfigs != null &&
sessionStoreConfigs.containsKey(PAC4J_COOKIE_SAMESITE)) {
cookie.setSameSitePolicy(sessionStoreConfigs.get(PAC4J_COOKIE_SAMESITE));
}
context.addResponseCookie(cookie);
```
https://github.com/pac4j/pac4j/blob/pac4j-parent-6.3.0/pac4j-javaee/src/main/java/org/pac4j/jee/context/JEEContext.java#L217
https://github.com/pac4j/pac4j/blob/pac4j-parent-6.3.0/pac4j-core/src/main/java/org/pac4j/core/context/WebContextHelper.java#L147
```java
public static String createCookieHeader(Cookie cookie) {
var builder = new StringBuilder();
builder.append(String.format("%s=%s;", cookie.getName(),
cookie.getValue()));
```
For now, I would keep it as it is, and create another issue to switch back
to `org.pac4j.core.context.Cookie` later (and set cookie value to empty string
instead of null).
Issue Time Tracking
-------------------
Worklog Id: (was: 996417)
Time Spent: 0.5h (was: 20m)
> Handle pac4j cookies with "null" value
> --------------------------------------
>
> Key: KNOX-3232
> URL: https://issues.apache.org/jira/browse/KNOX-3232
> Project: Apache Knox
> Issue Type: Task
> Components: KnoxSSO
> Affects Versions: 3.0.0
> Reporter: Tamás Marcinkovics
> Assignee: Tamás Marcinkovics
> Priority: Major
> Attachments: knoxsso-cas-test.xml
>
> Time Spent: 0.5h
> Remaining Estimate: 0h
>
> When testing Knox SSO with Pac4j and CAS, if the user clicks on global
> logout, and does not close the browser, refreshing the homepage link results
> in a 500 internal server error due to KnoxSessionStore not being able to get
> the value of CasClient$attemptedAuthentication cookie.
> When pac4j calls the
> KnoxSessionStore.set() method with null value, we will add a
> Set-Cookie-Header with "null" value instead of empty.
> setCookieHeader = new SetCookieHeader(PAC4J_SESSION_PREFIX + key, null);
> When KnoxSessionStore.get() is called, it tries to uncompress the non-empty
> value and fails with a BufferUnderflowException.
>
> To test, replace the conf/knoxsso.xml with the contents of the attached
> knoxsso-cas-test.xml and set global logout in gateway-site.xml by setting the
> properties
> {noformat}
> <property>
> <name>knox.homepage.logout.enabled</name>
> <value>true</value>
> </property>
> <property>
> <name>knox.global.logout.page.url</name>
> <value>https://casserverpac4j.herokuapp.com/logout</value>
> </property>
> {noformat}
>
> Then log in to CAS using the same username and password, then in the knox
> homepage press the logout and global logout link afterwards.
--
This message was sent by Atlassian Jira
(v8.20.10#820010)
