search

Crivaledaz / Mattermost-LDAP

This module provides an external LDAP authentication in Mattermost for the Team Edition (free).
MIT License
359 stars 71 forks source link

PHPSESSID cookie is not accepted anymore in certain environments on Google Chrome / Microsoft Edge Chromium #64

Open jprusch opened 4 years ago

jprusch commented 4 years ago

When Mattermost is embedded inside an iframe the authentication with Mattermost-LDAP oauth breaks, because the PHPSESSID cookie set by startsession() is not containing the correct parameters.

To Reproduce Steps to reproduce the behavior:

  1. Embed Mattermost in an iframe
  2. Enable / configure OAuth authentication via this solution
  3. Make sure authentications works with direct call to Mattermost
  4. Authenticate with Mattermost embedded in an iframe with a Chrome browser
  5. After successful authentication, you get the "Congratulation you are authenticated ! However there is nothing to do here ..." message

Expected behavior After a successful login the Mattermost client is displayed Also works when using Mozilla Firefox browser

Problem The PHPSESSID cookie is blocked on Chrome (at least 84+), because SameSite=None was assumed without setting session.cookie_secure=true

Possible solution Set session.cookie_secure=true

cookie_php_session

jprusch commented 4 years ago

I solved the issue by changing the calls to session_start() to: session_set_cookie_params(['samesite' => 'None']); session_start(['cookie_secure' => true,'cookie_httponly' => true]);