Summary
Insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. When configured with __Secure- or __Host- prefixed cookie names, the filter fails to append the required Secure attribute to the Set-Cookie header during deletion. Modern browsers ignore this invalid request, causing the session cookie to persist. This allows a user to remain logged in after they believe they have logged out, creating a session hijacking risk on shared computers.
Details
Cookies with the __Secure- or __Host- prefix MUST be set with the Secure attribute. This requirement extends to cookie deletion, which is accomplished by setting an expired Set-Cookie header.
The current implementation iterates through the configured cookie names to generate deletion headers but does not check for these prefixes. As a result, when it attempts to delete a cookie named, for example, __Secure-id-token, it generates a header like:
Set-Cookie: __Secure-id-token=deleted; Expires=Thu, 01 Jan 1970 00:00:00 GMT
This is incorrect. The browser will reject this instruction because the Secure attribute is missing. The correct header should be:
Set-Cookie: __Secure-id-token=deleted; Expires=Thu, 01 Jan 1970 00:00:00 GMT; Secure
This failure to properly construct the deletion header means the user's session cookies are never removed by the browser, leaving the session active.
PoC
- Has any of the following configs like:
- name: envoy.filters.http.oauth2
typed_config:
"@type": type.googleapis.com/envoy.extensions.filters.http.oauth2.v3.OAuth2
...
cookie_names:
bearer_token: "__Secure-bearer"
oauth_hmac: "__Secure-hmac"
id_token: "__Secure-id-token"
refresh_token: "__Secure-refresh-token"
...
- log-in
- log-out, the cookie will not be deleted
Impact
It impacts any environment using Envoy's OAuth2 filter where cookie names have been configured with __Secure- or __Host- prefixes. The primary risk is session hijacking in scenarios involving shared or public computers. A user who performs a logout action will be led to believe their session is terminated. However, the session remains active, allowing the next user of the same browser to gain unauthorized access to the original user's account and data.
Mitigation
- Avoid the
__Secure- or __Host- config
- Apply the fix patch
Reporter:
Thomas Brüggemann [email protected]
botengyao Remediation reviewer
yanavlasov Remediation reviewer
phlax Coordinator
tonya11en Remediation developer
Summary
Insufficient Session Expiration in the Envoy OAuth2 filter leads to failed logout operations. When configured with
__Secure-or__Host-prefixed cookie names, the filter fails to append the requiredSecureattribute to theSet-Cookieheader during deletion. Modern browsers ignore this invalid request, causing the session cookie to persist. This allows a user to remain logged in after they believe they have logged out, creating a session hijacking risk on shared computers.Details
Cookies with the
__Secure-or__Host-prefix MUST be set with the Secure attribute. This requirement extends to cookie deletion, which is accomplished by setting an expired Set-Cookie header.The current implementation iterates through the configured cookie names to generate deletion headers but does not check for these prefixes. As a result, when it attempts to delete a cookie named, for example,
__Secure-id-token, it generates a header like:Set-Cookie: __Secure-id-token=deleted; Expires=Thu, 01 Jan 1970 00:00:00 GMTThis is incorrect. The browser will reject this instruction because the Secure attribute is missing. The correct header should be:
Set-Cookie: __Secure-id-token=deleted; Expires=Thu, 01 Jan 1970 00:00:00 GMT; SecureThis failure to properly construct the deletion header means the user's session cookies are never removed by the browser, leaving the session active.
PoC
Impact
It impacts any environment using Envoy's OAuth2 filter where cookie names have been configured with
__Secure-or__Host-prefixes. The primary risk is session hijacking in scenarios involving shared or public computers. A user who performs a logout action will be led to believe their session is terminated. However, the session remains active, allowing the next user of the same browser to gain unauthorized access to the original user's account and data.Mitigation
__Secure-or__Host-configReporter:
Thomas Brüggemann [email protected]