OAuth flow imperfection - not, this is cookie lifetime

This question is not to Team, because is reported. This question is for Community. I noticed, in my interpretation some imperfection during OAuth Authentication implemented by PoE. For better clearance I describe the process and show Where is bug as I think.

1. User enter the www site
2. Click login with Path of Exile, and is redirected to Path of Exile site for accept Authorization.
3. If is not login, then he must login to PoE first - here starts the problem with security
4. After login, user can confirm Authorization, and is redirected to the site back
5. Do something on this site and logout - next step of the problem, but is not legged out from PoE site on that machine.
Every things looks ok, when this machine is a user machine pc etc, but there is huge security problem if this is public machine or someone else.
This problem is hidden.

Hi there

Why do You interpret this as request for geting rights to logout or to get authorization for logout, I think there is misunderstanding.

That problem could be resolved in two ways and without extending - changing OAuth system. It could be called rather extending logout, but it is second method. As going:

First: at the beginning - simple, after login in authentication user-browser stay not logged to PoE site, -browser is not login via session system - this is not a requirement of OAuth system or authentication control during granting authorization.

Second extending logout - logout the browser, similar during authentication:
https://www.pathofexile.com/logout?client_id=example&url=https://example.com&response_type=logout&sid=sid

and poe site send logout response if user confirms and redirects back:
https://example.com?client_id=example&logout=true&sid=sid

"

Guy_GGG wrote:

Your app has no control over how users authenticate with the PoE website.

Just in case a restatement of the issue may help here:

A user wants to authorize an app to access their PoE account.

They are redirected to the PoE website, where they are not yet logged in. They log in, and complete the authorization.

They then return to the app. Despite only logging in to perform an authorization, they remain logged in, and may not be aware.

The issue being reported is that the a login explicitly to grant an app permission is not expected to be long-lived. Having the user remain logged in after this authorization could lead to security issues on public/shared devices.

Rather than the app having control over how users authenticate with the website, the suggestion is that the website understand that users are authenticating for a specific purpose, and to give credentials that are only for that purpose.


---

I tried replicating this experience with the Filterblade website, but logging into PoE via Steam landed me on my profile page instead of the app's authorization prompt. I'm not sure if this website's behavior is different for other log in methods.

"

Jadian wrote:

The issue being reported is that the a login explicitly to grant an app permission is not expected to be long-lived. Having the user remain logged in after this authorization could lead to security issues on public/shared devices

Yes ! Finally :)

It could be treated as Browser is logged in to PoE not user, human, and remain logged in after logout from application...

Solution:
1. After login Setting cookie lifetime to 0 (browser - tab closing) on www.pathofexile.com/oauth/ only
2. after confirmation authorization abort session and set cookie lifetime to delete

"

koszmarnica wrote:

This question is not to Team, because is reported. This question is for Community. I noticed, in my interpretation some imperfection during OAuth Authentication implemented by PoE. For better clearance I describe the process and show Where is bug as I think.

1. User enter the www site
2. Click login with Path of Exile, and is redirect to Path of Exile site for accept Authorization.
3. If is not login, then he must login to PoE first - here starts the problem with security
4. After login, user can confirm Authorization, and is redirected to the site back
5. Do something on this site and logout - next step of the problem, but is not legged out from PoE site on that machine.
Every things looks ok, when this machine is a user machine pc etc, but there is huge security problem if this is public machine or someone else.
This problem is hidden.

For GGG: I suspect the problem lies in the POESESSID cookie that is generated and persists not for oauth but for the base *.pathofexile.com domain; which is set in the client after authenticating any login request, including for oauth grants.

For the OP: While the context here is oauth authorization, your same problem statement exists regardless of the oauth grant use case. Hopefully the immediate answer here is obvious: Don't log into secure sites with login/password credentials on an un-trusted machine or un-trusted network. Unless GGG spends a bunch of money on developing and then maintaining PKI/OTP services, this isn't likely to change any time soon.

In the first option you present, as cookies are domain based, GGG would need to stand up a new domain and database exclusive to authentication and oauth to keep "normal" browser users from getting logged out for connecting an oauth app. Right now the cookie is just for https://www.pathofexile.com and an web (https://) only cookie, so expiring or max-aging that requires tracking. I'm guessing just doubling the lookup requests for session validation db/backend isn't doable with the current infrastructure vs active users. The arbitrary-input redirect part of the second oauth suggestion is likely more prone to phishing abuse and really doesn't fix doing first-class authentication on un-trusted clients, unless the oauth app is also aware of the allowed redirect inputs.. but again, doesn't solve the same-domain session expiry that would occur.

It is unfortunate that most of the account non-delegated login authentication security resolves around (A) potentially guessable login/password credentials and (B) a single session cookie {POESESSID}, which can be trivial to exfiltrate in an un-trusted environment.. I just don't see GGG spending resources to re-code everything that their forums/shop/trade/game-client authentication ties into, to support a more secure layered credential grant.

Ideally opt-in one-time-password (2FA) auth with significantly reduced cookie max-age would help but.. I mean... good luck on convincing GGG that this is more important than [ Epic List of 10,000 Other Items ].

For what it's worth, I believe GGG may have some rough compromise prevention by way of forcing e-mail based 2FA if a user logs in from an ip other than the ip they logged in from previously. If you're playing from an internet cafe or something, this probably won't help if you were compromised by someone reusing your session token from the same source ip.

It's likely a very tough ($$$) problem for GGG to solve right now, or they likely would have already added granular session/token control (something like https://www.pathofexile.com/my-account/applications but for sessions).

In the mean time, best you can do is change your password every time you oauth an app and hope that changing your password triggers expiration of existing session cookies.

This is a cookie problem authentication during authorization, agree

"

koszmarnica wrote:

Hi there

Why do You interpret this as request for geting rights to logout or to get authorization for logout, I think there is misunderstanding.

That problem could be resolved in two ways and without extending - changing OAuth system. It could be called rather extending logout, but it is second method. As going:

First: at the beginning - simple, after login in authentication user-browser stay not logged to PoE site, -browser is not login via session system - this is not a requirement of OAuth system or authentication control during granting authorization.

Second extending logout - logout the browser, similar during authentication:
https://www.pathofexile.com/logout?client_id=example&url=https://example.com&response_type=logout&sid=sid

and poe site send logout response if user confirms and redirects back:
https://example.com?client_id=example&logout=true&sid=sid

Support has had this problem for a while. Partial or complete misinterpretation of the issue. I have had issues where the exchange between myself and support exceeded 30+ emails. 80% of the time, I give up hope that they have the ability or capacity to actually solve, even the most simple of tasks. They will also just outright ignore you. It's quite strange.

There are times however where, for whatever reason, the issue is resolved within minutes. Thus it appears to me that the scope of support is very limited. Although they have always been very polite and professional.

However if you are Zizaran, you can expect your problems/concerns to be addressed immediately, if not outright entirely solved.

If you found this interesting I would screenshot this post, as support has a habit of deleting even the mildest of my forum comments. (T01)

Ok, I found the point of problem.
There is problem with default cookie lifetime with no Remember Me selected, and lifetimes synchronization/translation between cookie lifetime and database row, simple. When session is set, there are two medium where it happens:
1. COOKIE and
2. DATABASE

In some cases session lifetime setting with PHP is not equivalent to each other, the cookie to database. In other words they could not use the same value.

Setting cookie with 0 lifetime means as described: session life until browser session ends. My browser Opera says, when I check cookie lifetime:
When the browser session ends

This is not true and I don't know from when. I discover the same problem on my site. Closing browser, resetting computer, laptop etc does not remove cookie, from browser, it remains, and there is a question for how long ?

I discovered that browser stores cookie until is accepted by site.

And there is a point. On PoE site default lifetime of cookie set in database is (as I ques when Remember Me is selected during login ) to one Month.

Then not selecting Remember Me during login, sets cookie to 0 resulting in lifetime of 30 days.

I suggest using two lifetimes when session is set, one as default to 10 minutes or less and cookie path only to oauth/authorize in case of OAuth flow and second to 1 Month, when Remember Me is chosen.