github-starred/pangolin
2
0
Fork 0
mirror of https://github.com/fosrl/pangolin.git synced 2026-05-06 20:59:07 -05:00
Code Issues 564 Packages Projects Releases 72 Wiki Activity

[GH-ISSUE #1740] Oidc cookie wrong #1995

New Issue
Closed
opened 2026-04-16 08:55:15 -05:00 by GiteaMirror · 3 comments
GiteaMirror commented 2026-04-16 08:55:15 -05:00
Owner
Copy Link

Originally created by @smeretech on GitHub (Oct 24, 2025).
Original GitHub issue: https://github.com/fosrl/pangolin/issues/1740

Describe the Bug

Hello

I am also encountering the same problem issues to the previous ticket #1644.

I should point out that I have version 1.11 and the idc is Authentik.

When accessing the baseurl, the problem does not occur because the oidc cookie remains correctly valued with the baseurl domain and, in the callback passage from Authentik, it maintains the session and, above all, the oidc cookie.
The real problem is with the use of other third-level domains where there are resources that Pangolin has to manage.

  1. When logging in to resource1.domain.it:
    Pangolin sets the status cookie:
    p_oidc_state=...; Domain=resource1.domain.it; SameSite=lax

  2. The Callback:
    Authentik (correctly) redirects to Pangolin's baseURL: https://pangolin.domain.it/auth/.../callback

  3. The cookie then disappears:
    The browser must go to pangolin.domain.it. It looks at the cookie it has saved and sees Domain=resource1.domain.it.
    The browser refuses to send that cookie for two reasons:

• Reason 1 (The Main Block): The domains do not match.
• Reason 2 (The Secondary Block): The redirection from Authentik is "cross-site," and the cookie is SameSite=lax. This also blocks it.

I created some http-response replace-value rules upstream of Pangolin (HAproxy) so that they intercept the p_oidc_state cookie (and only that one) and transform it from:
Domain=resource1.domain.it; SameSite=lax
to
Domain=.domain.it; SameSite=None; Secure

With the rules active and setting the cookie_domain to .domain.it in the config file:

  1. I go to https://resource1.domain.it.
  2. Pangolin starts the OIDC login. The p_oidc_state cookie is set for resource1.domain.it.
  3. HAProxy intercepts the cookie and corrects it to Domain=.domain.it and SameSite=None.
  4. I log in to Authentik and am redirected to the callback on pangolin.domain.it.
  5. The browser sends the p_oidc_state cookie (because .domain.it is valid). The login is successful.
  6. Pangolin creates the session cookie (p_session_token) but probably does so using pangolin.domain.it despite the variable.
  7. Pangolin (due to the bug) still redirects to the pangolin.domain.it dashboard.

Now there is an infinite loop.

Environment

  • OS Type & Version: docker
  • Pangolin Version:1.11
  • Gerbil Version: latest
  • Traefik Version:
  • Newt Version: latest
  • Olm Version: (if applicable)

To Reproduce

  1. When logging in to resource1.domain.it:
    Pangolin sets the status cookie:
    p_oidc_state=...; Domain=resource1.domain.it; SameSite=lax
  2. The Callback:
    Authentik (correctly) redirects to Pangolin's baseURL: https://pangolin.dominio.it/auth/.../callback
  3. The cookie then disappears due mismatch.

Expected Behavior

Generate a oidc cookie based to the first level of the domain (.domain.it) and solve the session cookie.

Originally created by @smeretech on GitHub (Oct 24, 2025). Original GitHub issue: https://github.com/fosrl/pangolin/issues/1740 ### Describe the Bug Hello I am also encountering the same problem issues to the previous ticket #1644. I should point out that I have version 1.11 and the idc is Authentik. When accessing the baseurl, the problem does not occur because the oidc cookie remains correctly valued with the baseurl domain and, in the callback passage from Authentik, it maintains the session and, above all, the oidc cookie. The real problem is with the use of other third-level domains where there are resources that Pangolin has to manage. 1. When logging in to resource1.domain.it: Pangolin sets the status cookie: p_oidc_state=...; Domain=resource1.domain.it; SameSite=lax 2. The Callback: Authentik (correctly) redirects to Pangolin's baseURL: https://pangolin.domain.it/auth/.../callback 3. The cookie then disappears: The browser must go to pangolin.domain.it. It looks at the cookie it has saved and sees Domain=resource1.domain.it. The browser refuses to send that cookie for two reasons: • Reason 1 (The Main Block): The domains do not match. • Reason 2 (The Secondary Block): The redirection from Authentik is "cross-site," and the cookie is SameSite=lax. This also blocks it. I created some http-response replace-value rules upstream of Pangolin (HAproxy) so that they intercept the p_oidc_state cookie (and only that one) and transform it from: Domain=resource1.domain.it; SameSite=lax to Domain=.domain.it; SameSite=None; Secure With the rules active and setting the cookie_domain to .domain.it in the config file: 1. I go to https://resource1.domain.it. 2. Pangolin starts the OIDC login. The p_oidc_state cookie is set for resource1.domain.it. 3. HAProxy intercepts the cookie and corrects it to Domain=.domain.it and SameSite=None. 4. I log in to Authentik and am redirected to the callback on pangolin.domain.it. 5. The browser sends the p_oidc_state cookie (because .domain.it is valid). The login is successful. 6. Pangolin creates the session cookie (p_session_token) but probably does so using pangolin.domain.it despite the variable. 7. Pangolin (due to the bug) still redirects to the pangolin.domain.it dashboard. Now there is an infinite loop. ### Environment - OS Type & Version: docker - Pangolin Version:1.11 - Gerbil Version: latest - Traefik Version: - Newt Version: latest - Olm Version: (if applicable) ### To Reproduce 1. When logging in to resource1.domain.it: Pangolin sets the status cookie: p_oidc_state=...; Domain=resource1.domain.it; SameSite=lax 2. The Callback: Authentik (correctly) redirects to Pangolin's baseURL: https://pangolin.dominio.it/auth/.../callback 3. The cookie then disappears due mismatch. ### Expected Behavior Generate a oidc cookie based to the first level of the domain (.domain.it) and solve the session cookie.
GiteaMirror added the stale label 2026-04-16 08:55:15 -05:00
GiteaMirror commented 2026-04-16 08:55:16 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Nov 8, 2025):

This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.

<!-- gh-comment-id:3505466199 --> @github-actions[bot] commented on GitHub (Nov 8, 2025): This issue has been automatically marked as stale due to 14 days of inactivity. It will be closed in 14 days if no further activity occurs.
GiteaMirror commented 2026-04-16 08:55:17 -05:00
Author
Owner
Copy Link

@github-actions[bot] commented on GitHub (Nov 22, 2025):

This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.

<!-- gh-comment-id:3565090043 --> @github-actions[bot] commented on GitHub (Nov 22, 2025): This issue has been automatically closed due to inactivity. If you believe this is still relevant, please open a new issue with up-to-date information.
GiteaMirror commented 2026-04-16 08:55:17 -05:00
Author
Owner
Copy Link

@88plug commented on GitHub (Dec 6, 2025):

Workaround using Traefik Proxy Cookie plugin

This bug bricked my first Pangolin install - added a resource with "Accept Clients" enabled and immediately got locked into a redirect loop. Couldn't access the dashboard at all, had to nuke the config and start fresh.

The root cause: p_session_token cookie is scoped to the exact hostname (Domain=example.com) instead of the wildcard (Domain=.example.com), so subdomain resources with Badger auth can't see the session cookie → infinite redirect. This affects any deployment, not specific to any proxy/CDN setup.

Fixed it with traefik-plugin-proxy-cookie to rewrite cookie domains at the Traefik layer:

traefik.yml:

experimental:
  plugins:
    proxyCookie:
      moduleName: "github.com/SchmitzDan/traefik-plugin-proxy-cookie"
      version: "v0.0.2"

dynamic_config.yml:

http:
  middlewares:
    cookie-domain-fix:
      plugin:
        proxyCookie:
          domain:
            rewrites:
              - regex: "^(example\\.com)$"
                replacement: ".example.com"

  routers:
    # apply to pangolin dashboard/api routers
    next-router:
      rule: "Host(`example.com`)"
      middlewares: ["cookie-domain-fix"]
      # ... rest of config

This intercepts Set-Cookie responses and rewrites the domain to include the leading dot, making the session cookie valid across all subdomains. Works for both regular auth and OIDC flows.

<!-- gh-comment-id:3620141220 --> @88plug commented on GitHub (Dec 6, 2025): **Workaround using Traefik Proxy Cookie plugin** This bug bricked my first Pangolin install - added a resource with "Accept Clients" enabled and immediately got locked into a redirect loop. Couldn't access the dashboard at all, had to nuke the config and start fresh. The root cause: `p_session_token` cookie is scoped to the exact hostname (`Domain=example.com`) instead of the wildcard (`Domain=.example.com`), so subdomain resources with Badger auth can't see the session cookie → infinite redirect. This affects any deployment, not specific to any proxy/CDN setup. Fixed it with [traefik-plugin-proxy-cookie](https://plugins.traefik.io/plugins/63f635069454451553c1c914/proxy-cookie) to rewrite cookie domains at the Traefik layer: **traefik.yml:** ```yaml experimental: plugins: proxyCookie: moduleName: "github.com/SchmitzDan/traefik-plugin-proxy-cookie" version: "v0.0.2" ``` **dynamic_config.yml:** ```yaml http: middlewares: cookie-domain-fix: plugin: proxyCookie: domain: rewrites: - regex: "^(example\\.com)$" replacement: ".example.com" routers: # apply to pangolin dashboard/api routers next-router: rule: "Host(`example.com`)" middlewares: ["cookie-domain-fix"] # ... rest of config ``` This intercepts `Set-Cookie` responses and rewrites the domain to include the leading dot, making the session cookie valid across all subdomains. Works for both regular auth and OIDC flows.
Sign in to join this conversation.
No Branch/Tag Specified
Branches Tags
Labels
Clear labels
api
authentication
bug
config
dependencies
docker
documentation
enhancement
good first issue
help wanted
Improvement
Look Into
needs investigating
networking
new feature
non-critical bug
potential bug
pull-request
Mirrored from GitHub Pull Request
 question
reverse proxy
Security
stale
ui
wontfix
No Label stale
Milestone
No items
No Milestone
Projects
Clear projects
No project
Assignees
Clear assignees
GiteaMirror ninjasurge
No Assignees
1 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: github-starred/pangolin#1995
Delete Branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?