Loosing "session" with cookie

[pbarry30]

I am using this solution as a reverse proxy to a vendor Single Page Application with an OIDC "Portal" where users login and can select from a number of different applications to SSO.
I am able to obtain the auth token, get access token and id token and get the "session" cookie set.
Randomly, a valid request with the valid cookie comes in and instead of the module detecting the session and outputting

openidc.lua:1578: authenticate(): session_present=true, session.data.id_token=true, session.data.authenticated=true, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false

it outputs

openidc.lua:1578: authenticate(): session_present=false, session.data.id_token=false, session.data.authenticated=nil, opts.force_reauthorize=nil, opts.renew_access_token_on_expiry=nil, try_to_renew=true, token_expired=false

The cookie comes in but does not seem to pick up the session. There is only 1 instance of nginx running. There are multiple concurrent requests coming in for the same session.

Any ideas?

Thanks
Pat

[vdub8]

Can You show your configs?

P.S.
I had same problem after update lua-session 3.10 -> 4.0.5 and lua-openidc 1.7.6 -> 1.8.0 and I resolved it.

Small introduction:
Early I used secret key for crypt sessions per vhost. This directive in server context (for nginx/angie):
set $session_secret "my_secret_key". That is need for have equal session key for each nginx workers, another case each worker will have uniq secret key.

But starting from lua-session 4.0 that option is not actual.
You should set secret key for session encryption in http context (nginx) by using init or init_worker lua context.
For example in /etc/nginx/nginx.conf:

http {
    init_worker_by_lua_block {
      require "resty.session".init({
        remember = true,
        cookie_http_only = true,
        cookie_secure = true,
        secret = "<your_secret>",
        storage = "cookie",
      })
    }
...
}

Maybe it will help to You...

[pbarry30]

I solved the issue. Its been a while but I believe the secret sauce was

• Using a different value for redirect_uri and local_redirect_uri_path
• Potential use of the remember_safety setting on the session initialization.

I will test again and respond to this

[oldium]

But starting from lua-session 4.0 that option is not actual. You should set secret key for session encryption in http context (nginx) by using init or init_worker lua context. For example in /etc/nginx/nginx.conf:

http {
    init_worker_by_lua_block {
      require "resty.session".init({
        remember = true,
        cookie_http_only = true,
        cookie_secure = true,
        secret = "<your_secret>",
        storage = "cookie",
      })
    }
...
}

Just a note - either this, or use the fourth parameter to authenticate (like require("resty.openidc").authenticate(opts, nil, nil, session_opts)) to pass the values to lua-resty-session.