Session cookies and browser tabs

[fostermi]

We've been using mod_auth_openidc for a while now and I thought I had it working for a variety of use cases, with multiple proxies configured to protect different paths on the same domain, corresponding to different oidc clients in Keycloak. However I'm running into an issue with (I think) the session cookie getting clobbered when using tabs in the same browser, specifically with legacy websites with backend calls via javascript.

The situation is, the user navigates to site A, which is protected by a proxy with mod_auth_openidc, is redirected properly and logs into IdP and is redirected back to the protected page just fine. The user then opens another browser tab, navigates to site B, which (looking at the network traces) redirects to the IdP, sees that the user is already authenticated, then redirects back to the protected site B, with no issue. However, back on site A, there is some javascript connecting to a URL that is also protected by the same proxy as the rest of site A, which suddenly fails, because I think that the browser now sends the cookie with the session id of the new tab opened up for site B. The browser tries to redirect this connection back to the IdP, or returns a 401 unauthorized, depending on the Apache configuration settings for mod_auth_openidc and the OIDCUnAuthAction parameter. The apache debug logs shows that there is a cache miss on the cookie from site B now, so it tries to restart the authentication process.

Is this a correct diagnosis, and if so, is there a workaround so that the browser tab for site A, uses the correct session cookie, or am I going to have to lump all of these legacy sites into a single proxy under a single OIDC client?

[zandbelt]

you'll need to investigate in the browser's developer mode what happens: what should happen is that both sites get their own cookie on their own path and that the Javascript code accesses a URL on site A so the site A cookie will be sent along with it; if there's some mismatch in the URL (e.g. the Javascript calls into another site than A) or the settings (e.g. the OIDCCookiePath's between the sites overlap) then you could experience problems; the browser trace would show you which cookie gets sent where

[fostermi]

That was it. Setting the cookie path worked. I was hesitant to set that as I was unsure how that would affect SSO across webpages. Thanks, Hans!