Pocket-ID login loop after logout due to conflicting access_token cookies
#170
Unanswered
agreenfield1
asked this question in
Q&A
Replies: 2 comments 1 reply
-
|
Hi @agreenfield1 i moved this to an issue as it could be a bug. |
Beta Was this translation helpful? Give feedback.
0 replies
-
|
@agreenfield1 Could you test the |
Beta Was this translation helpful? Give feedback.
1 reply
-
|
Can confirm, it is working perfectly with the |
Beta Was this translation helpful? Give feedback.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
-
I've encountered an issue I was able to resolve it mostly, but am presenting it here as I'm not sure if it is a Pocket-ID or caddy-security bug, or just a configuration issue.
Summary: Pocket-ID enters a state where it is impossible to log in after logging out. The login process loops back to the sign-in page. This issue is resolved by manually deleting cookies (access_token specifically).
How to reproduce:
https://<service>.domain.comandhttps://pocketid.domain.com, and set up the caddy-security module according to the provided documentation for<service>https://<service>.domain.comand authorizehttps://pocketid.domain.comand authorizehttps://pocketid.domain.comCause:
It looks like there are two
access_tokencookies underhttps://pocketid.domain.com:https://<service>.domain.com, and the domain scope is.domain.comhttps://pocketid.domain.com, and the domain scope ispocketid.domain.comWhen logging out the value of Cookie2 is cleared but Cookie1 remains, a scenario that appears not handled well by Pocket-ID.
Not sure if this is an issue more related to Pocket ID or caddy-security. But it could certainly be handled better I think. I was able to resolve it by inserting the following line into my caddyfile for each
<service>, but not sure if this is the best fix?:Beta Was this translation helpful? Give feedback.
All reactions