From: David R Newman <drn@ecs.soton.ac.uk>
Date: Thursday, 18 January 2024 at 15:18
To: eprints-tech@ecs.soton.ac.uk <eprints-tech@ecs.soton.ac.uk>, Lee Paton <PatonL@cardiff.ac.uk>
Subject: Re: [EP-tech] Redirect loop after shibboleth authentication

Hi Lee,

So there could be a few issues here.  It may be useful if you can show a couple of iterations of the redirect loop, as this may help identify some minor technicality like a switch between HTTP and HTTPS or a missing or present trailing slash.

/shibboleth/login should redirect you to /cgi/users/home if you current user session has appropriate environment variables set for an authenticated Shibboleth session, otherwise is will like redirect you to /account_required.html.  It seems like /shibboleth/login is redirecting to /cgi/users/home and then as it cannot find the secure_eprints_session... cookie it is redirecting back to /shibboleth/login,   Clearly this could be a race condition with the secure_eprint_session not being set and therefore sent a part of your request for /cgi/users/home. However, when you manually refresh the page your user session has received the required cookie and then sends it in this request.

From what you have said your version of EPrints has not changed (it was 3.4.5 prior to the migration) and all that has really changed is a newer operating system, with virtually everything else much the same.  My suspicion is that at some point there is an HTTP rather than HTTPS URL, which means the secure_eprints_session will not be available as it has "Secure" attribute set to "true".  When you do see secure_eprints_session cookie it would be useful if you could share the its attribute like my example below:

secure_eprints_session%3Aexample.eprints.org:"ef9def123af12384e9abcd1a49ea27abc"
Created:"Wed, 17 Jan 2024 14:45:37 GMT"
Domain:".example.eprints.org"
Expires / Max-Age:"Session"
HostOnly:false
HttpOnly:false
Last Accessed:"Thu, 18 Jan 2024 15:12:39 GMT"
Path:"/"
SameSite:"Strict"
Secure:true
Size:82

CAUTION: This e-mail originated outside the University of Southampton.

CAUTION: This e-mail originated outside the University of Southampton.

Hi

 

I’m currently migrating our eprints (version 3.4.5) repository from CentOS 7 to RHEL 8, everything has gone smoothly  apart from the repository going into a redirect loop after the session has authenticated and you’re redirected back to a logged in session on the repo with:

 

https://orca-dev2.cardiff.ac.uk/shibboleth/login?target=https%3A%2F%2Forca-dev2.cardiff.ac.uk%2Fcgi%2Fusers%2Fhome

 

If you then hit return on the browsers address the users home page is displayed successfully

 

Looking at the http headers it appears that the secure_eprints_session value isn’t being set in a cookie (I’ve compared headers to the working CentOS 7 dev system) on that first redirect after shibboleth authentication has completed

 

The config is identical to the one that is currently running on our CentOS 7 environment, and the versions of Apache are also the same, there is a small difference in perl versions (5.16 and 5.26). The main difference is that I’m using our test idp to authenticate against using a hosts file change on my macbook instead of using out production idp.  Would this make a difference?

 

Any pointers or suggestions would be much appreciated – I’ve hit a brick wall with this

 

Thanks

 

Lee

*** Options: https://wiki.eprints.org/w/Eprints-tech_Mailing_List

*** Archive: https://www.eprints.org/tech.php/

*** EPrints community wiki: https://wiki.eprints.org/