Fix: Remember me cookie not set when bypassing

Review changes
Download
Patches
Plain diff

Gerardo Navarro requested to merge gitlab-community/gitlab:370083/gerardo-navarro/fix-remember-me-cookie-not-set into master Dec 01, 2023

Overview 50
Commits 5
Pipelines 13
Changes 3

What does this MR do and why?

Potential fix for issue Remember me cookie not set when bypassing 2fa i... (#370083 - closed)
Adding more tests related the "Remember me" cookie

🛠 with ❤ at Siemens

Screenshots or screen recordings

This MR only contains backend -related changes.

How to set up and validate locally

The following steps are partially taken from the section Steps to reproduce included in the issue description

Pick a user account for testing and enable 2FA for the specific user
Setup omniauth provider, e.g. the omniauth provider auth0
Configure the omniauth provider to bypass two factor, i.e. allow_bypass_two_factor: ['auth0'].
Open a new private / incognito browser window and go to http://gdk.test:3000
❗ IMPORTANT ❗ Select the checkbox "Remember me" below the button to initiate sign in flow of the omniauth provider, see screenshot below
Click the omniauth provider button and follow the sign in flow of the omniauth provider
After the omniauth sign in flow, you should be redirected to the GitLab dashboard screen and the cookie remember_user_token should be present, see other screenshot below
Restart your browser or delete the _gitlab_session session cookie
Go to http://gdk.test:3000
You should see the GitLab dashboard screen without the need for signing into GitLab (because of the cookie remember_user_token is still set)

When performing these steps on the branch master, then the cookie remember_user_token will not be present after signing in with the omniauth provider.

Note: In Firefox, multiple private windows do not have individual sessions. Multiple private windows reuse the same (private) session, see https://support.mozilla.org/en-US/questions/1269006 .

Todos

MR acceptance checklist

This checklist encourages us to confirm any changes have been analyzed to reduce risks in quality, performance, reliability, security, and maintainability.

I have evaluated the MR acceptance checklist for this MR.
- Changelog entry added, if necessary
- ~~Documentation created/updated via this MR~~
- ~~Documentation reviewed by technical writer or follow-up review issue created~~
- Tests added for this feature/bug
- Tested in all supported browsers
- Conforms to the code review guidelines
- Conforms to the merge request performance guidelines
- Conforms to the style guides
- ~~Conforms to the javascript style guides~~
- ~~Conforms to the database guides~~

Relates to Remember me cookie not set when bypassing 2fa i... (#370083 - closed)

Edited Dec 20, 2023 by Gerardo Navarro

Merge request reports

Assignee

Select assignees

Reviewers

Request review from

Time tracking