Authentication and sessions are not working together.

[Chris--A]

Describe the Bug

Authentication and sessions are not working together. My end goal which I haven't been able to produce is to have a different session for http localhost and https local network (so anything not local requires login and https).

However, I'm hitting a discrepancy with the sessions. When I log in with https, but view the localhost http side with the same browser, it is using the same session cookie (expected), however the $webEvent.Auth structure is empty, even though Test-PodeAuthUser returns $true.

Steps To Reproduce

Import-Module pode

Start-PodeServer -ScriptBlock {
    Enable-PodeSessionMiddleware -Duration 120 -Extend -Strict -Secure

    Add-PodeEndpoint -Address * -Port 8443 -Protocol Https -SelfSigned -Name SecurePortal -Force
    Add-PodeEndpoint -Address localhost -Port 8080 -Protocol Http -Name Portal

    New-PodeAuthScheme -Basic | Add-PodeAuthWindowsLocal -Name 'Login' -Users testUser

    $sb = {
        Write-PodeJsonResponse @{
            IsAuthenticated = Test-PodeAuthUser
            Auth = $webEvent.Auth
        }
    }

    Add-PodeRoute -Path '/' -Method Get -EndpointName Portal -AllowAnon -ScriptBlock $sb
    Add-PodeRoute -Path '/' -Method Get -EndpointName SecurePortal -Authentication Login -ScriptBlock $sb
}

Observed Behavior

Initial load of http://localhost:8080/

{
  "Auth": {

  },
  "IsAuthenticated": false
}

Initial load & successful authentication of https://localhost:8443/

{
  "Auth": {
    "Store": true,
    "User": {
      "Username": "testUser",
      "Fqdn": "xxxxx",
      "UserType": "Local",
      "Name": "",
      "Groups": [
        "Users"
      ],
      "AuthenticationType": "WinNT",
      "Domain": "localhost"
    },
    "IsAuthenticated": true
  },
  "IsAuthenticated": true
}

Re-visit http://localhost:8080/ - $webEvent.Auth structure is empty, even though Test-PodeAuthUser returns $true.

{
  "Auth": {

  },
  "IsAuthenticated": true
}

Expected behavior

If Test-PodeAuthUser returns true, I'd expect the $webEvent.Auth to be populated.

Platform

• OS: Windows 10
• Browser: chrome
• Versions:
  • Pode: 2.8
  • PowerShell: 5.1, 7.3.x

[Badgerati]

Hi @Chris--A,

This is expected, the localhost Route doesn't use Authentication, so $WebEvent.Auth will be empty as it doesn't go through that middleware. Since you're hijacking the same session, you'll find the auth details within the session itself here: $WebEvent.Session.Data.Auth.

I'm working in the Auth area currently actually (#588), so I can create a Get-PodeAuthUser which will check both locations similar to Test-PodeAuthUser.

[Chris--A]

Thanks for the response @Badgerati

From what I have researched, it shouldn't be considered hijacking, as many implementations prior to the HTTPS enforcement of chrome and such used HTTPS to authenticate sites that did not require TLS. Additionally it is the browser passing the cookie regardless of protocol. The latest version of Chrome accesses the cookies based on the domain/endpoint not the protocol.

$WebEvent.Auth will be empty as it doesn't go through that middleware

I maybe should have removed the -Secure it makes no difference. Without it, the HTTP site gets the cookie first, and Chrome sends it with the HTTPS request.

...I will investigate further to confirm this.