dohertj2/ScadaBridge
1
0
Fork 0
Code Issues Pull Requests 1 Actions Packages Projects Releases Wiki Activity

fix(security): make auth cookie name configurable, override per env

Browse Source 
The auth cookie name was hardcoded to ZB.MOM.WW.ScadaBridge.Auth. Because
browser cookies are scoped by host+path but NOT by port, two ScadaBridge
clusters on the same host (the local docker stack on localhost:9000 and
docker-env2 on localhost:9100) shared one cookie jar: signing into one
overwrote the other's cookie, and since the clusters use different JWT
signing keys + separate Data Protection key rings, the overwritten side
could no longer validate its cookie and the session died.

Add SecurityOptions.CookieName (default = canonical ZB.MOM.WW.ScadaBridge.Auth,
blank falls back to the default) applied via the SecurityOptions-bound cookie
PostConfigure. Override it to ...Auth.env2 in both docker-env2 Central nodes so
the two local clusters no longer collide; the primary cluster keeps the default
so its live sessions and production are unaffected. Adds 3 Security.Tests cases.
This commit is contained in:
Joseph Doherty
2026-06-03 13:06:41 -04:00
parent eabf270d71
commit 15752f8c2d
5 changed files with 105 additions and 14 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/ZB.MOM.WW.ScadaBridge.Security/SecurityOptions.cs
+14
View File
@@ -44,4 +44,18 @@ public class SecurityOptions
/// any HTTPS request but is usable over plain HTTP.
/// </summary>
public bool RequireHttpsCookie { get; set; } = true;
/// <summary>The canonical default authentication-cookie name (<see cref="CookieName"/>).</summary>
public const string DefaultCookieName = "ZB.MOM.WW.ScadaBridge.Auth";
/// <summary>
/// Authentication cookie name. Defaults to <see cref="DefaultCookieName"/>. Override it
/// (<c>ScadaBridge:Security:CookieName</c>) to give a distinct name to a deployment that
/// shares a hostname with another ScadaBridge environment — browser cookies are scoped by
/// host+path but NOT by port, so two clusters on the same host (e.g. two local Docker
/// stacks on <c>localhost:9000</c> and <c>localhost:9100</c>) would otherwise clobber each
/// other's session under a shared cookie name. A blank/whitespace value falls back to
/// <see cref="DefaultCookieName"/>. Changing this invalidates existing sessions on next deploy.
/// </summary>
public string CookieName { get; set; } = DefaultCookieName;
}