Skip to content

Only send samesite cookies #17075

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
rullzer merged 1 commit into from
Feb 6, 2020
Merged

Only send samesite cookies #17075

rullzer merged 1 commit into from
Feb 6, 2020

Conversation

@rullzer
Copy link
Member

@rullzer rullzer commented Sep 9, 2019

This makes the last remaining two cookies lax. The session cookie
itself. And the session password as well (on php 7.3 that is). Samesite
cookies are the best cookies!

Signed-off-by: Roeland Jago Douma [email protected]

@rullzer rullzer added this to the Nextcloud 18 milestone Sep 9, 2019
ChristophWurst
ChristophWurst requested changes Sep 10, 2019
View reviewed changes
Copy link
Member

@ChristophWurst ChristophWurst left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Clicked around, shared some files. All fine 👍

@rullzer rullzer force-pushed the enh/samesitecookies branch from b9323f2 to b5e98dc Compare October 9, 2019 11:15
@rullzer
Copy link
Member Author

rullzer commented Oct 9, 2019

So... for some reason this does 💥 when mixed. So not this only happens on php7.3 and later.
We should probably test in older browsers. But then I guess this is good to go!

@rullzer rullzer added 3. to review Waiting for reviews and removed 2. developing Work in progress labels Oct 9, 2019
@rullzer rullzer force-pushed the enh/samesitecookies branch from b5e98dc to 1585e2f Compare October 14, 2019 20:05
kesselb
kesselb reviewed Oct 14, 2019
View reviewed changes
@kesselb kesselb mentioned this pull request Oct 21, 2019
Closed
kesselb
kesselb reviewed Oct 21, 2019
View reviewed changes
kesselb
kesselb reviewed Oct 21, 2019
View reviewed changes
@rullzer rullzer modified the milestones: Nextcloud 18, Nextcloud 19 Dec 9, 2019
@rullzer rullzer force-pushed the enh/samesitecookies branch from 1585e2f to ee37218 Compare February 6, 2020 11:28
@rullzer
Only send samesite cookies
2016e57 
This makes the last remaining two cookies lax. The session cookie
itself. And the session password as well (on php 7.3 that is). Samesite
cookies are the best cookies!

Signed-off-by: Roeland Jago Douma <[email protected]>
@rullzer rullzer force-pushed the enh/samesitecookies branch from ee37218 to 2016e57 Compare February 6, 2020 14:24
@rullzer rullzer merged commit 3b14cec into master Feb 6, 2020
@rullzer rullzer deleted the enh/samesitecookies branch February 6, 2020 19:37
@kesselb kesselb mentioned this pull request Mar 17, 2020
Closed
@peacepenguin
Copy link

peacepenguin commented Jun 18, 2020

This change breaks SAML auth in many cases with PHP 7.3 and above.

During a Nextcloud-SAML login, the user attempts to goto the nextcloud frontpage to login, nextcloud sets up the session cookies right away. Then redirects the user to login via SAML.

After the SAML login, there is a POST request with the SAML authorization back to nextcloud:
https:///index.php/apps/user_saml/saml/acs

With these cookies set to LAX, the POST doesn't contain the needed session cookies, and the auth fails entirely.

If we drop the PHP version to 7.2, the cookie doesn't get set to LAX, and the SAML response POST will contain the needed session cookie, and login via SAML is successful.

This phenomenon is documented here, https://php.watch/articles/PHP-Samesite-cookies :

When a cookie is marked samesite=Lax, that cookie will not be passed for any cross-domain requests unless it's a regular link that navigates user to the target site. Other requests methods (such as POST and PUT) and XHR requests will not contain this cookie.

I can confirm this is the source of the issue two different ways: drop the server php version to 7.2, issue gone; makes sense since this change code only sets the flag if php is 7.3 or above.

Also in chrome hitting nextcloud 19 with php 7.3 or 7.4, after the failed SAML login attempt from this issue, you can manually modify the session cookies in the F12 dev tools to remove the LAX flag from the two session cookies, then retrying login succeeds.

A workaround is setting up the SAML IdP server on the same subdomain as the nextcloud instance:

sso.mydomain.net
nextcloud.mydomain.net

In this scenario, the bug doesn't manifest, since they are both part of the same subdomain, LAX allows the cookie to be sent even in a POST.

Unfortunately changing the hosted FQDN of the Identity provider to match your nextcloud instance may not be an option, or feasible.

Perhaps an override for this cookie change can be put in place so SAML auth app users can continue to function as before?

@kesselb kesselb mentioned this pull request Jun 18, 2020
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@nickvergessen nickvergessen nickvergessen approved these changes

@ChristophWurst ChristophWurst ChristophWurst approved these changes

@blizzz blizzz Awaiting requested review from blizzz

@juliusknorr juliusknorr Awaiting requested review from juliusknorr

@danxuliu danxuliu Awaiting requested review from danxuliu

@kesselb kesselb Awaiting requested review from kesselb

@skjnldsv skjnldsv Awaiting requested review from skjnldsv

Assignees

No one assigned

Labels

3. to review Waiting for reviews enhancement security

Projects

None yet

Milestone

Nextcloud 19

Development

Successfully merging this pull request may close these issues.

7 participants

@rullzer @peacepenguin @nickvergessen @ChristophWurst @kesselb @skjnldsv