sessions: check idp id to detect provider changes to force session invalidation (#3707)

* sessions: check idp id to detect provider changes to force session invalidation * remove dead code * fix test
2025-05-22 05:27:13 +02:00 · 2022-10-25 16:20:32 -06:00 · 2022-10-25 16:20:32 -06:00 · 30bdae3d9e
commit 30bdae3d9e
parent 3f7a482815
14 changed files with 265 additions and 193 deletions
--- a/proxy/state.go
+++ b/proxy/state.go
@ -9,8 +9,6 @@ import (
 	"github.com/pomerium/pomerium/internal/encoding/jws"
 	"github.com/pomerium/pomerium/internal/sessions"
 	"github.com/pomerium/pomerium/internal/sessions/cookie"
-	"github.com/pomerium/pomerium/internal/sessions/header"
-	"github.com/pomerium/pomerium/internal/sessions/queryparam"
 	"github.com/pomerium/pomerium/pkg/cryptutil"
 )

@ -26,7 +24,6 @@ type proxyState struct {
 	encoder         encoding.MarshalUnmarshaler
 	cookieSecret    []byte
 	sessionStore    sessions.SessionStore
-	sessionLoaders  []sessions.SessionLoader
 	jwtClaimHeaders config.JWTClaimHeaders

 	programmaticRedirectDomainWhitelist []string
@ -84,11 +81,6 @@ func newProxyStateFromConfig(cfg *config.Config) (*proxyState, error) {
 	if err != nil {
 		return nil, err
 	}
-	state.sessionLoaders = []sessions.SessionLoader{
-		state.sessionStore,
-		header.NewStore(state.encoder),
-		queryparam.NewStore(state.encoder, "pomerium_session"),
-	}
 	state.programmaticRedirectDomainWhitelist = cfg.Options.ProgrammaticRedirectDomainWhitelist

 	return state, nil