We’ve encountered a challenge with the “Clear-site-data Header on Logout” feature in ForgeRock 7.3, specifically when using the Chrome browser (version 118). I’d like to outline the use case to provide a clear understanding of the issue:
- User Authentication in Realm X (Application A):
- The user successfully authenticates into Application A within Realm X.
- Both application-specific and ForgeRock cookies are set.
- Automatic Realm Switch to Application B in Realm Y:
- The user clicks a link redirecting them to Application B in Realm Y.
- We’ve updated the switch realm.js to seamlessly submit the request without requiring user validation for realm change.
- Session ID Set and Logout/Authenticate in ForgeRock:
- Application B sets a session ID to track the request.
- The user is redirected to ForgeRock for logout in Realm X and authentication in Realm Y.
- Issue at Redirect Back to Application:
- Upon returning to the application after the ForgeRock process, all previous cookies (both from Application A and the session ID from Application B) are inexplicably removed in Chrome (version 118).
- Due to the absence of the session ID from Application B, the application fails to process the request.
Investigation and Findings:
- The problem appears to be specific to Chrome, version 118.
- Disabling the “Clear-site-data” feature on the realms resolves the issue.
As reminder this is the value set for this header:
Clear-Site-Data: “cache”, “cookies”, “storage”, “executionContexts”
We are seeking clarification (if somebody have it) on why all cookies, including those from Application A, are deleted during this process. Ideally, only ForgeRock cookies should be affected.
For information we don’t have the same issue with Firefox Browser.