Introduction
This is a variant of the closed issue #1014 ("when two login flows start at the same time, both end up in an infinite redirection loop"). The fix in PR #1022 addressed the case where the state cookie exists but the CSRF token does not match ("Invalid CSRF token"). However, on SQLPage v0.44.1 we still observe a brief redirect loop on cold browser start, but with a different error: the state cookie is entirely absent ("No sqlpage_oidc_state_* cookie found").
To Reproduce
- Close the browser completely (no session cookies)
- Open the browser and navigate to https:///index.sql
- The browser briefly displays the "this page has been redirected multiple times" (ERR_TOO_MANY_REDIRECTS) message
- After ~1–2 seconds, the page loads correctly
- On subsequent refreshes (without closing the browser), no message appears
Actual behavior
Brief redirect loop (~1–2 seconds) on every cold browser start. The loop self-resolves thanks to MAX_OIDC_REDIRECTS = 3, but the user sees a confusing browser-level error message.
Expected behavior
Login should complete without a visible redirect loop on the first cold browser visit.
Version information
- SQLPage version: v0.44.1
- OS: Debian
- Database: PostgreSQL
- Database version: 13
- OIDC provider: Microsoft Entra ID (Azure AD) v2.0
- Reverse proxy: Apache 2.4 with SSL termination, ProxyPreserveHost On, X-Forwarded-Proto: https
- sqlpage.json:
{
"listen_on": "127.0.0.1:9090",
"host": "",
"web_root": "./www",
"oidc_client_id": "",
"oidc_client_secret": "",
"oidc_issuer_url": "https://login.microsoftonline.com//v2.0"
}
- Azure AD app registration:
- Redirect URI: https:///sqlpage/oidc_callback (no trailing slash)
- No logout URL configured
- No responseMode in manifest (defaults to query)
- oidc_scopes not explicitly set (default: openid email profile)
Additional context
Server Logs
Captured with journalctl -u sqlpage --since "1 hour ago" | grep oidc. Tokens redacted ().
jul 07 16:00:19 INFO sqlpage[...] OIDC redirect URL for : https:///sqlpage/oidc_callback
jul 07 16:00:19 INFO sqlpage[...] Redirecting to / after a successful login
jul 07 16:00:19 INFO sqlpage[...] 127.0.0.1 "GET /sqlpage/oidc_callback?code=&state=8FsztBELZz-ekYCxRRClpw&session_state= HTTP/1.1" 303 14
jul 07 16:00:20 ERROR sqlpage[...] Failed to process OIDC callback (attempt 0). Refreshing oidc provider metadata, then redirecting to home page: No sqlpage_oidc_state_8FsztBELZz-ekYCxRRClpw cookie found
jul 07 16:00:20 INFO sqlpage[...] 127.0.0.1 "GET /sqlpage/oidc_callback?code=&state=8FsztBELZz-ekYCxRRClpw&session_state= HTTP/1.1" 303 14
jul 07 16:00:20 INFO sqlpage[...] Redirecting to / after a successful login
jul 07 16:00:20 INFO sqlpage[...] 127.0.0.1 "GET /sqlpage/oidc_callback?code=&state=xOfNdUdviWCxkjPK-UA2fA&session_state= HTTP/1.1" 303 14
jul 07 16:00:21 ERROR sqlpage[...] Failed to process OIDC callback (attempt 0): No sqlpage_oidc_state_8FsztBELZz-ekYCxRRClpw cookie found
jul 07 16:00:21 INFO sqlpage[...] 127.0.0.1 "GET /sqlpage/oidc_callback?code=&state=8FsztBELZz-ekYCxRRClpw&session_state= HTTP/1.1" 303 14
jul 07 16:00:22 INFO sqlpage[...] Redirecting to / after a successful login
jul 07 16:00:22 INFO sqlpage[...] 127.0.0.1 "GET /sqlpage/oidc_callback?code=&state=kggvpGsT3Y-EQB_uVKOoGQ&session_state= HTTP/1.1" 303 14
jul 07 16:00:22 ERROR sqlpage[...] Failed to process OIDC callback (attempt 0): No sqlpage_oidc_state_8FsztBELZz-ekYCxRRClpw cookie found
jul 07 16:00:24 INFO sqlpage[...] Redirecting to / after a successful login
jul 07 16:00:26 ERROR sqlpage[...] Failed to process OIDC callback (attempt 0): No sqlpage_oidc_state_8FsztBELZz-ekYCxRRClpw cookie found
jul 07 16:00:27 INFO sqlpage[...] Redirecting to / after a successful login
Introduction
This is a variant of the closed issue #1014 ("when two login flows start at the same time, both end up in an infinite redirection loop"). The fix in PR #1022 addressed the case where the state cookie exists but the CSRF token does not match ("Invalid CSRF token"). However, on SQLPage v0.44.1 we still observe a brief redirect loop on cold browser start, but with a different error: the state cookie is entirely absent ("No sqlpage_oidc_state_* cookie found").
To Reproduce
Actual behavior
Brief redirect loop (~1–2 seconds) on every cold browser start. The loop self-resolves thanks to MAX_OIDC_REDIRECTS = 3, but the user sees a confusing browser-level error message.
Expected behavior
Login should complete without a visible redirect loop on the first cold browser visit.
Version information
{
"listen_on": "127.0.0.1:9090",
"host": "",
"web_root": "./www",
"oidc_client_id": "",
"oidc_client_secret": "",
"oidc_issuer_url": "https://login.microsoftonline.com//v2.0"
}
Additional context
Server Logs
Captured with journalctl -u sqlpage --since "1 hour ago" | grep oidc. Tokens redacted ().
jul 07 16:00:19 INFO sqlpage[...] OIDC redirect URL for : https:///sqlpage/oidc_callback
jul 07 16:00:19 INFO sqlpage[...] Redirecting to / after a successful login
jul 07 16:00:19 INFO sqlpage[...] 127.0.0.1 "GET /sqlpage/oidc_callback?code=&state=8FsztBELZz-ekYCxRRClpw&session_state= HTTP/1.1" 303 14
jul 07 16:00:20 ERROR sqlpage[...] Failed to process OIDC callback (attempt 0). Refreshing oidc provider metadata, then redirecting to home page: No sqlpage_oidc_state_8FsztBELZz-ekYCxRRClpw cookie found
jul 07 16:00:20 INFO sqlpage[...] 127.0.0.1 "GET /sqlpage/oidc_callback?code=&state=8FsztBELZz-ekYCxRRClpw&session_state= HTTP/1.1" 303 14
jul 07 16:00:20 INFO sqlpage[...] Redirecting to / after a successful login
jul 07 16:00:20 INFO sqlpage[...] 127.0.0.1 "GET /sqlpage/oidc_callback?code=&state=xOfNdUdviWCxkjPK-UA2fA&session_state= HTTP/1.1" 303 14
jul 07 16:00:21 ERROR sqlpage[...] Failed to process OIDC callback (attempt 0): No sqlpage_oidc_state_8FsztBELZz-ekYCxRRClpw cookie found
jul 07 16:00:21 INFO sqlpage[...] 127.0.0.1 "GET /sqlpage/oidc_callback?code=&state=8FsztBELZz-ekYCxRRClpw&session_state= HTTP/1.1" 303 14
jul 07 16:00:22 INFO sqlpage[...] Redirecting to / after a successful login
jul 07 16:00:22 INFO sqlpage[...] 127.0.0.1 "GET /sqlpage/oidc_callback?code=&state=kggvpGsT3Y-EQB_uVKOoGQ&session_state= HTTP/1.1" 303 14
jul 07 16:00:22 ERROR sqlpage[...] Failed to process OIDC callback (attempt 0): No sqlpage_oidc_state_8FsztBELZz-ekYCxRRClpw cookie found
jul 07 16:00:24 INFO sqlpage[...] Redirecting to / after a successful login
jul 07 16:00:26 ERROR sqlpage[...] Failed to process OIDC callback (attempt 0): No sqlpage_oidc_state_8FsztBELZz-ekYCxRRClpw cookie found
jul 07 16:00:27 INFO sqlpage[...] Redirecting to / after a successful login