From 584d3c8bb102d9798feaa3e02f61951d79b1e63a Mon Sep 17 00:00:00 2001 From: Daniel Lenski Date: Thu, 21 May 2020 17:56:19 -0700 Subject: [PATCH] Receiving a portal-*cookie should allow us to automatically retry the login on the gateway This applies EVEN IF the the final portal login form was a challenge form, or a SAML form (that is, if ctx->alt_secret was set). It appears that the whole point of these `portal-*cookie`s is to allow us to automatically continue logging in through the gateway. Signed-off-by: Daniel Lenski --- auth-globalprotect.c | 8 +++++--- 1 file changed, 5 insertions(+), 3 deletions(-) diff --git a/auth-globalprotect.c b/auth-globalprotect.c index a41975c2..b466bbc6 100644 --- a/auth-globalprotect.c +++ b/auth-globalprotect.c @@ -668,11 +668,13 @@ static int gpst_login(struct openconnect_info *vpninfo, int portal, struct login /* New form is already populated from the challenge */ goto got_form; } else if (portal && result == 0) { - /* Portal login succeeded; blindly retry same credentials on gateway, - * unless it was a challenge auth form or alt-secret form. + /* Portal login succeeded; blindly retry same credentials on gateway if: + * (a) we received a cookie that should allow automatic retry + * OR (b) portal form was neither challenge auth nor alt-secret (SAML) */ portal = 0; - if (strcmp(ctx->form->auth_id, "_challenge") && !ctx->alt_secret) { + if (ctx->portal_userauthcookie || ctx->portal_prelogonuserauthcookie || + (strcmp(ctx->form->auth_id, "_challenge") && !ctx->alt_secret)) { blind_retry = 1; goto replay_form; } -- 2.49.0