invalid cookie. Required remote address does not match
976 views
Skip to first unread message
Aaron Chantrill
May 12, 2025, 4:38:09 PM5/12/25
to cas-...@apereo.org
After upgrading from 6.6 to 7.2, my users are occasionally getting an error screen saying
"Unauthorized Access" and listing "screen.pac4j.authn.AuthenticationException" as the cause.
When I look at the CAS log, I'm seeing the error as listed above, with two full IP addresses with ports. The ip addresses match, but the ports don't. It looks like for some reason, CAS is expecting the same port to be used for the initial request and the authentication request, but the client is changing the port they are talking on.
Is there an easy way to either disable this check or set it to only check the ip address and not the port, or do I have to override the obtainValueFromCompoundCookie() method from DefaultCasCookieValueManager, which is where the error appears to be coming from?
It looks like I could disable the ip address check completely if I can set the cookieProperties.isGeoLoateClientSession() value to false, but I'm not sure how to do that. I tried setting cas.tgc.geo-locate-client-session to false in my cas.properties file, but I'm not sure if that will work or not and don't have a way to test it.
Thank you,
-- 
Ray Bon
May 12, 2025, 10:10:29 PM5/12/25
to cas-...@apereo.org
Aaron,
What kind of client are you talking about?
Describe your setup and why there is a change in port.
Include some of the log.
Ray
From: 'Aaron Chantrill' via CAS Community <cas-...@apereo.org>
Sent: May 12, 2025 12:26
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: [cas-user] invalid cookie. Required remote address does not match
Sent: May 12, 2025 12:26
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: [cas-user] invalid cookie. Required remote address does not match
--
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJt4T%3DtcTUvzXMOKoZDj%3DDaXsEA9Pso-3A0MK%3DXL3UM21FxQaw%40mail.gmail.com.
- Website: https://apereo.github.io/cas
- List Guidelines: https://goo.gl/1VRrw7
- Contributions: https://goo.gl/mh7qDG
---
You received this message because you are subscribed to the Google Groups "CAS Community" group.
To unsubscribe from this group and stop receiving emails from it, send an email to cas-user+u...@apereo.org.
To view this discussion visit https://groups.google.com/a/apereo.org/d/msgid/cas-user/CAJt4T%3DtcTUvzXMOKoZDj%3DDaXsEA9Pso-3A0MK%3DXL3UM21FxQaw%40mail.gmail.com.
Aaron Chantrill
May 19, 2025, 10:38:41 PM5/19/25
to cas-...@apereo.org
I'm not completely sure which "client" you are referring to. In this case, I am using CAS 7.2 as a client for AzureAD via Pac4j. I'm pretty sure the user is using Google Chrome as the browser. This issue only showed up after migrating from 6.6.12 to 7.2. It did not occur in testing, but occasionally shows up now that it is in production. This is the error the user's see:
The only line I see in the log is:
ERROR [org.apereo.cas.web.flow.actions.DelegatedClientAuthenticationAction] - <Client AzureB2CClient failed to validate credentials>
which does not feel particularly helpful. Sometimes this is preceded by a SocketTimeoutException warning, but it's difficult for me to tell which lines are connected to each other in the log. I don't think the warning I was seeing before about the Invalid cookie is actually related. I have logged in successfully on my test server and seen this warning in the log, so I don't think it actually causes the authentication to fail.
The users can always log in if they "try again" a few times, but some of them are getting annoyed about having to type in their password several times in a row in the morning once a week or so. I'm thinking now it may be a communication issue between the server I have CAS running on and AzureAD, although I'm still confused why this would only start happening after upgrading CAS. I've searched the log for the error above, and it seems to occur every occasionally with 5 minutes to 2 hours between instances. From the log I can't tell if particular users are being affected more than others or if only certain users are bothered (ones that type their password in rather than allowing the browser to remember it?).
Thank you,
Aaron
Ray Bon
May 20, 2025, 11:39:20 PM5/20/25
to cas-...@apereo.org
Aaron,
Try increasing ldap logging; this property at the beginning of log4j2.xml, ldap.log.level
It can produce a lot of output so best if you could replicate the problem in dev or test.
You may have to adjust your ldap settings; for example see notes on pool-passivator
Ray
From: 'Aaron Chantrill' via CAS Community <cas-...@apereo.org>
Sent: May 19, 2025 12:18
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] invalid cookie. Required remote address does not match
To: cas-...@apereo.org <cas-...@apereo.org>
Subject: Re: [cas-user] invalid cookie. Required remote address does not match
Pablo Vidaurri
Jul 5, 2025, 10:51:18 AM7/5/25
to CAS Community, Ray Bon
I am also starting to see this same error in my logs and users complaining of sessions only lasting a few minutes.
Some of these IP mismatches are from Zscaler.
Some of these IP mismatches share the same 3 first octets with only last octet changing
Some of these IP share no octets but appear to be from same ISP within the same region.
I see I can add IP patterns, this may be useful for zscaler and VPN situations for internal users where I have VPN and Zscaler IP ranges:
cas.tgc.allowed-ip-addresses-pattern=But his may not handle external users. For this, I suppose cas.tgc.pin-to-session=true can be used, but what security issues will this raise? I assume this will make it easier to steal sessions if not tied to IP.
-psv
Reply all
Reply to author
Forward
0 new messages