Bug 1434845

Summary: FreeIPA client <= 4.4 fail to parse 4.5 cookies
Product: Red Hat Enterprise Linux 6 Reporter: Petr Vobornik <pvoborni>
Component: ipaAssignee: IPA Maintainers <ipa-maint>
Status: CLOSED WONTFIX QA Contact: ipa-qe <ipa-qe>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 6.9CC: enewland, ksiddiqu, mkolaja, pvoborni, pvomacka, rcritten, slaznick, ssorce, tscherf
Target Milestone: rc   
Target Release: 6.10   
Hardware: Unspecified   
OS: Unspecified   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of:
: 1441160 1459153 (view as bug list) Environment:
Last Closed: 2017-06-12 14:02:05 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 1441160    
Attachments:
Description Flags
Proposed patch that can be applied after RHEL 6.9 upstream patches [0]
none
Proposed patch that can be applied after RHEL 6.9 upstream patches [1] none

Description Petr Vobornik 2017-03-22 13:16:19 UTC 
Cloned from upstream: https://pagure.io/freeipa/issue/6774

Older clients are also affected by #6718. I noticed the problem when I was testing the vault with FreeIPA 4.4 client and FreeIPA 4.5 server. https://github.com/freeipa/freeipa/pull/532 needs to be backported.

```text
ipa: ERROR: unable to parse cookie header 'ipa_session=MagBearerToken=MiIjMRJWMAl1%2bazkGlIRns2iysA7wxc%2bpSenQtZEMKXSsRAXEcnw2wHEyzOyh8RHgIm5K7YvX1k1tPotRM2ztegX4ODAmOe26%2fP4FLu68AupejDBNmNIENfasrNhUiPowugkkRXBOD%2b%2bsGFFMUZ%2bP7AYPHoW3bE3uN4ftRQwftE11EFTti4a9fVwB4SLKiuU&expiry=1489670819868611;Max-Age=1800;path=/ipa;httponly;secure;': unsupported operand type(s) for +: 'NoneType' and 'datetime.timedelta'
```
Comment 3 Standa Laznicka 2017-03-24 14:00:34 UTC 
Created attachment 1266100 [details]
Proposed patch that can be applied after RHEL 6.9 upstream patches [0]
Comment 4 Standa Laznicka 2017-03-24 14:01:15 UTC 
Created attachment 1266101 [details]
Proposed patch that can be applied after RHEL 6.9 upstream patches [1]
Comment 10 Simo Sorce 2017-05-10 11:43:38 UTC 
We can probably remove the Max-Age attribute with a rewrite instruction in the apache configuration, but I wonder if we should leave this as a workaround for impacted customers rather than doing it by default.
Max-Age is used to tell the browser when to throw away the cookie, and it is not fundamental, worst case browsers send an expired cookie and they need to renegotiate and will get a new cookie.
Comment 12 Simo Sorce 2017-05-11 14:20:19 UTC 
Petr, what do you think ?
Comment 13 Pavel Vomacka 2017-06-05 17:03:06 UTC 
FreeIPA 4.5.0(1) server sends Set-Cookie header with Max-Age string, that is set by SessionMaxAge directive in httpd configuration. This is part of the header which older clients cannot parse. Older clients understand the cookie with expiration expressed this way: Expires=time_when_cookie_expires. In this format: Expires=Mon, 05 Jun 2017 17:10:07 GMT;