Skip to content

fix(authz-casdoor): scope session cookie per Casdoor client#13387

Open
shreemaan-abhishek wants to merge 4 commits into
apache:masterfrom
shreemaan-abhishek:authz-casdoor-session-scope
Open

fix(authz-casdoor): scope session cookie per Casdoor client#13387
shreemaan-abhishek wants to merge 4 commits into
apache:masterfrom
shreemaan-abhishek:authz-casdoor-session-scope

Conversation

@shreemaan-abhishek
Copy link
Copy Markdown
Contributor

@shreemaan-abhishek shreemaan-abhishek commented May 19, 2026

Description

Each route configured with the authz-casdoor plugin now stores its session under a cookie name derived from its client_id, and the session payload itself is bound to the client_id it was issued for.

Previously, every authz-casdoor route on a given host shared the default resty.session cookie name (session), and the access check at the start of _M.access only verified that an access_token was present in the session — it did not verify that the session belonged to the route's client_id. As a result, two authz-casdoor routes on the same host configured with different client_ids shared authentication state.

The fix has two layers:

  1. Per-client cookie name. A cookie name is derived from conf.client_id (sanitized to [A-Za-z0-9_]) and passed as cookie_name to every resty.session open / new / start call inside the plugin. Different client_ids now read and write different cookies.
  2. In-session client_id binding. client_id is stored in the session at write time. The gate check additionally requires session_obj:get("client_id") == conf.client_id before honoring an existing session, so a session payload cannot be honored by a route configured with a different client_id.

A regression test (TEST 11 + TEST 12 in t/plugin/authz-casdoor.t) configures two routes on the same host with different client_ids (low-client on /low/*, high-client on /high/*), drives the full login flow against the first route, and then re-uses the resulting cookie against the second route — asserting that the second route still redirects to Casdoor with its own client_id.

Which issue(s) this PR fixes:

Fixes #

Breaking changes

  1. After upgrading, existing authz-casdoor sessions will not be recognized: the cookie name changes from the resty.session default to a per-client_id name. Users will be redirected to Casdoor once to re-establish their session.
  2. Deployments that had two authz-casdoor routes on the same host with different client_ids and implicitly relied on a single session being shared between them will no longer do so. Operators that want shared authentication state across routes should configure those routes with the same client_id.

Checklist

  • I have explained the need for this PR and the problem it solves
  • I have explained the changes or the new features added to this PR
  • I have added tests corresponding to this change
  • I have updated the documentation to reflect this change
  • I have verified that this change is backward compatible (If not, please discuss on the APISIX mailing list first)

@shreemaan-abhishek
fix(authz-casdoor): scope session cookie per Casdoor client
fd54ae0 
Each route's authz-casdoor session is now stored under a cookie name
derived from its client_id, and the session payload is bound to the
client_id it was issued for. Sessions established by one route are
no longer honored by a route configured with a different client_id.
@shreemaan-abhishek
fix(authz-casdoor): derive session cookie name via ngx.md5
8e4d05b 
Replace the character-substitution helper with ngx.md5 so that
distinct client_id values map to distinct session cookie names.
@shreemaan-abhishek
test(authz-casdoor): drop ignore_error_log from new test cases
df603f5
@shreemaan-abhishek
fix(authz-casdoor): use sha256 for session cookie name derivation
08bbdfc 
Switch the per-client cookie name derivation from ngx.md5 to
resty.sha256, matching the pattern used in csrf, hmac-auth, and
aws-lambda for security-adjacent hashing. The result is memoized
per client_id at module scope so the digest is computed once per
route load, not per request.

Extend the regression test to assert that the Set-Cookie names
issued by two routes with different client_ids differ, pinning
the cookie-name scoping layer independently of the in-session
client_id check.
@shreemaan-abhishek shreemaan-abhishek marked this pull request as ready for review May 19, 2026 07:44
@dosubot dosubot Bot added the size:L This PR changes 100-499 lines, ignoring generated files. label May 19, 2026
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nic-6443 nic-6443 nic-6443 approved these changes

At least 3 approving reviews are required to merge this pull request.

Assignees

No one assigned

Labels

size:L This PR changes 100-499 lines, ignoring generated files.

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

2 participants

@shreemaan-abhishek @nic-6443