Receiving a portal-*cookie should allow us to automatically retry the login on the...

This applies EVEN IF the the final portal login form was a challenge form, or a SAML
form (that is, if ctx->alt_secret was set).

It appears that the whole point of these `portal-*cookie`s is to allow us to automatically
continue logging in through the gateway.

Signed-off-by: Daniel Lenski <dlenski@gmail.com>

diff --git a/auth-globalprotect.c b/auth-globalprotect.c
index a41975c2a8e0119f0ffea3d6fee06889ff0d07e9..b466bbc699f6a3c9e34a690e7b7001ce54758c7e 100644 (file)
--- a/auth-globalprotect.c
+++ b/auth-globalprotect.c
@@ -668,11 +668,13 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, struct login
                                /* New form is already populated from the challenge */
                                goto got_form;
                        } else if (portal && result == 0) {
-                               /* Portal login succeeded; blindly retry same credentials on gateway,
-                                * unless it was a challenge auth form or alt-secret form.
+                               /* Portal login succeeded; blindly retry same credentials on gateway if:
+                                *      (a) we received a cookie that should allow automatic retry
+                                *   OR (b) portal form was neither challenge auth nor alt-secret (SAML)
                                 */
                                portal = 0;
-                               if (strcmp(ctx->form->auth_id, "_challenge") && !ctx->alt_secret) {
+                               if (ctx->portal_userauthcookie || ctx->portal_prelogonuserauthcookie ||
+                                   (strcmp(ctx->form->auth_id, "_challenge") && !ctx->alt_secret)) {
                                        blind_retry = 1;
                                        goto replay_form;
                                }