Pass the `portal-*cookie` values received in the portal config to the gateway login
These "cookies" appear to be the mechanism by which GlobalProtect clients
can login to the portal and then automatically login to gateway *even if*
the credentials used on the portal are not reusable:
1. Because the credentials used on the portal include a one-time password.
2. Because the credentials used on the portal resulted from SAML login.
(ctx->alt_secret, which leads to a SAML nonce value that can only be
used once).
The logs provided by users (see
https://gitlab.com/openconnect/openconnect/-/issues/147#note_578888250 and
https://gitlab.com/openconnect/openconnect/-/issues/147#note_580406042)
allowed me to answer one of the key unanswered questions (see
https://gitlab.com/openconnect/openconnect/-/merge_requests/109#note_341959833):
> If we do have a `portal_userauthcookie` and/or
> `portal_prelogonuserauthcookie`, should we omit the password from form
> submitted to the gateway? Or do we have to leave it in?
The answer is that it doesn't appear to matter: real servers appear to
ignore the `passwd` field if the `portal-*cookie` field is correctly set.
Signed-off-by: Kevin Yue <yuezk001@gmail.com> Signed-off-by: Daniel Lenski <dlenski@gmail.com>
projects / users / dwmw2 / openconnect.git / commit