When Mattermost is embedded inside an iframe the authentication with Mattermost-LDAP oauth breaks, because the PHPSESSID cookie set by startsession() is not containing the correct parameters.
To Reproduce
Steps to reproduce the behavior:
Embed Mattermost in an iframe
Enable / configure OAuth authentication via this solution
Make sure authentications works with direct call to Mattermost
Authenticate with Mattermost embedded in an iframe with a Chrome browser
After successful authentication, you get the "Congratulation you are authenticated ! However there is nothing to do here ..." message
Expected behavior
After a successful login the Mattermost client is displayed
Also works when using Mozilla Firefox browser
Problem
The PHPSESSID cookie is blocked on Chrome (at least 84+), because SameSite=None was assumed without setting session.cookie_secure=true
I solved the issue by changing the calls to session_start() to:
session_set_cookie_params(['samesite' => 'None']); session_start(['cookie_secure' => true,'cookie_httponly' => true]);
When Mattermost is embedded inside an iframe the authentication with Mattermost-LDAP oauth breaks, because the PHPSESSID cookie set by startsession() is not containing the correct parameters.
To Reproduce Steps to reproduce the behavior:
Expected behavior After a successful login the Mattermost client is displayed Also works when using Mozilla Firefox browser
Problem The PHPSESSID cookie is blocked on Chrome (at least 84+), because SameSite=None was assumed without setting session.cookie_secure=true
Possible solution Set session.cookie_secure=true