From 5e7f14bdcbbd22702c7b5de907398e94012bab2a Mon Sep 17 00:00:00 2001
From: Johann <76482511+Primexz@users.noreply.github.com>
Date: Sun, 20 Jul 2025 17:17:24 +0200
Subject: [PATCH] fix: show login page on broken session cookie (#2605)

* fix: redirect on invalid cookie

* docs: update changelog

* chore: remove duplicated code

* fix: status code handling if wrong http method is used

---------

Signed-off-by: Jan Larwig <jan@larwig.com>
Co-authored-by: Jan Larwig <jan@larwig.com>
---
 CHANGELOG.md  |  1 +
 oauthproxy.go | 10 ++++------
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/CHANGELOG.md b/CHANGELOG.md
index d8cd1865..35685b7a 100644
--- a/CHANGELOG.md
+++ b/CHANGELOG.md
@@ -9,6 +9,7 @@
 ## Changes since v7.10.0
 
 - [#2615](https://github.com/oauth2-proxy/oauth2-proxy/pull/2615) feat(cookies): add option to set a limit on the number of per-request CSRF cookies oauth2-proxy sets (@bh-tt)
+- [#2605](https://github.com/oauth2-proxy/oauth2-proxy/pull/2605) fix: show login page on broken cookie (@Primexz)
 
 # V7.10.0
 
diff --git a/oauthproxy.go b/oauthproxy.go
index a35e08ac..d8984cde 100644
--- a/oauthproxy.go
+++ b/oauthproxy.go
@@ -633,12 +633,6 @@ func (p *OAuthProxy) isTrustedIP(req *http.Request) bool {
 // SignInPage writes the sign in template to the response
 func (p *OAuthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code int) {
 	prepareNoCache(rw)
-	err := p.ClearSessionCookie(rw, req)
-	if err != nil {
-		logger.Printf("Error clearing session cookie: %v", err)
-		p.ErrorPage(rw, req, http.StatusInternalServerError, err.Error())
-		return
-	}
 	rw.WriteHeader(code)
 
 	redirectURL, err := p.appDirector.GetRedirect(req)
@@ -652,6 +646,10 @@ func (p *OAuthProxy) SignInPage(rw http.ResponseWriter, req *http.Request, code
 		redirectURL = "/"
 	}
 
+	if err := p.ClearSessionCookie(rw, req); err != nil {
+		logger.Printf("Error clearing session cookie: %v", err)
+	}
+
 	p.pageWriter.WriteSignInPage(rw, req, redirectURL, code)
 }