Skip to content

question: Caddy-security caching session?Β #435

New issue
New issue
Open
Open
question: Caddy-security caching session?#435
Assignees
greenpau
Labels
need triagequestionFurther information is requested
@banduraj78

Description

@banduraj78
banduraj78
opened on Oct 30, 2025

Issue:

I have setup a new caddy docker instance with caddy-security using ldap (AD) as a identity store. This all works as expected. However, once I login with any account and assigned the correct roles, if I logout and try to login again, I am forced back to the login page. Checking the logs I see the following.

{"level":"info","ts":1761849083.9475238,"logger":"security","msg":"user passed all authorization checkpoints","session_id":"bwu8Ht3sPvgn14AJxQpfSIrvU3RUfQAif2No","request_id":"1280fcae-7442-497c-afd8-238e4a4171be","checkpoints":[{"name":"Authenticate with password","type":"password","passed":true}]}
{"level":"debug","ts":1761849083.950557,"logger":"security","msg":"token error","session_id":"bwu8Ht3sPvgn14AJxQpfSIrvU3RUfQAif2No","request_id":"398eb9dc-7faa-432f-a7c8-1e65388f0d27","error":"user role is valid, but not allowed by access list"}
{"level":"debug","ts":1761849083.9505694,"logger":"security","msg":"Redirect served","session_id":"bwu8Ht3sPvgn14AJxQpfSIrvU3RUfQAif2No","request_id":"398eb9dc-7faa-432f-a7c8-1e65388f0d27","redirect_url":"https://authnvr.domain.local/login","status_code":302}

The only way I can get past this is if I close my browser window and reopen it. It's almost as if it's caching the session and won't let it go.

I have the Caddyfile included below.

{
  debug

  order authenticate before respond

  security {
    ldap identity store domain.local {
      realm domain.local

      servers {
        ldaps://server.domain.local
      }

      attributes {
         name givenName
         surname sn
         username sAMAccountName
         member_of memberOf
         email mail
      }

      trusted_authority /caddy/certs/cert.pem
      username "CN=AD Browser,OU=Service Accounts,DC=domain,DC=local"
      password "xxxxxxxxxxxxxxxxxxxxxxxx"
      search_base_dn "CN=Users,DC=domain,DC=local"
      search_filter "(&(|(sAMAccountName=%s)(mail=%s))(objectclass=user))"

      groups {
        "CN=Admins,CN=Users,DC=domain,DC=local" admin
        "CN=Viewers,CN=Users,DC=domain,DC=local" viewer
      }
    }

    authentication portal login_portal {
      enable identity store domain.local

      ui {
        logo url "https://test.domain.com/images/domain_logo.png"
      }
    }

    authorization policy access_policy {
      set auth url https://authnvr.domain.local/login
      allow roles admin viewer
      inject headers with claims
    }
  }
}

(tls_config) {
  tls /caddy/certs/fullchain.pem /caddy/certs/privkey.pem
}

authnvr.domain.local {
  import tls_config

  route {
    authenticate with login_portal
  }
}

nvr.domain.local {
  import tls_config

  route {
    authorize with access_policy

    reverse_proxy http://target:8080 {
      header_up X-Proxy-Secret xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
    }
  }
}

Any help is appreciated. Thank you.

Metadata

Metadata

Assignees

Labels

need triagequestionFurther information is requested

Projects

No projects

Milestone

No milestone

Relationships

None yet

Development

No branches or pull requests

Issue actions