shreemaan-abhishek opened a new pull request, #13671: URL: https://github.com/apache/apisix/pull/13671
### Description When two `openid-connect` routes on the same host share a `session.secret`, they both fall back to [lua-resty-session](https://github.com/bungle/lua-resty-session)'s default cookie name `"session"`. An unauthenticated visit to route A stores the pre-login `state`/`nonce` in that cookie; a subsequent unauthenticated visit to route B (carrying the same cookie) overwrites it. When route A's callback then arrives, the state no longer matches and `lua-resty-openidc` returns: ``` state from argument: <A> does not match state restored from session: <B> ``` surfacing as an HTTP 500 to the user. This is purely a cookie-naming collision, not an auth bypass. This PR defaults an unset `session.cookie_name` to a stable per-route name derived from the route id (falling back to `client_id`), so sibling routes each get their own session cookie and no longer clobber each other's pre-login state. An operator-set `session.cookie_name` is still honored, so deployments that intentionally share one session cookie across routes are unaffected. Note on upgrade: because the default cookie name changes, any in-flight sessions using the old default `"session"` cookie are not recognized after upgrade and users re-authenticate once. Config API and behavior contracts are otherwise unchanged. #### Which issue(s) this PR fixes: <!-- filed privately --> ### Checklist - [x] I have explained the need for this PR and the problem it solves - [x] I have explained the changes or the new features added to this PR - [x] I have added tests corresponding to this change - [x] I have updated the documentation to reflect this change - [x] I have verified that this change is backward compatible (config and behavior contracts preserved; see the one-time re-login note above) -- This is an automated message from the Apache Git Service. To respond to the message, please log on to GitHub and use the URL above to go to the specific comment. To unsubscribe, e-mail: [email protected] For queries about this service, please contact Infrastructure at: [email protected]
