search

IdentityPython / djangosaml2

Django SAML2 Service Provider based on pySAML2
Apache License 2.0
254 stars 143 forks source link

SameSite should be set to None #358

Closed Shaochun-Chao closed 1 year ago

Shaochun-Chao commented 1 year ago

The saml_session can't be stored in the Chrome cookie when the samesite value is "None". It works good for the Firefox, but not for Chrome. My Chrome version is 104.0.5112.101. I think it will be better just set the value as None(remove double quotes). Or any other solution to fix this problem? Please Guide, Thanks.

peppelinux commented 1 year ago

Which Django version are you using?

Shaochun-Chao commented 1 year ago

I have tested it with Django 4.0.5

peppelinux commented 1 year ago

Is your implementation on https and cookie Is set to SECURE?

Shaochun-Chao commented 1 year ago

Our project is on http currently and I didn't add SESSION_COOKIE_SECURE = True to my settings. Below is part of my settings

DEBUG = True

ALLOWED_HOSTS = ['*'] CORS_ALLOW_ALL_ORIGINS = True CORS_ALLOW_CREDENTIALS = True

INSTALLED_APPS = [ 'django.contrib.admin', 'django.contrib.auth', 'django.contrib.contenttypes', 'django.contrib.sessions', 'django.contrib.messages', 'django.contrib.staticfiles', 'sdwan_overlay_hub', 'rest_framework', 'rest_framework.authtoken', "djangosaml2",

'dj_rest_auth',

'drf_yasg',
'corsheaders',

]

MIDDLEWARE = [ 'django.middleware.security.SecurityMiddleware', 'django.contrib.sessions.middleware.SessionMiddleware', 'django.middleware.common.CommonMiddleware', 'django.middleware.csrf.CsrfViewMiddleware', 'django.contrib.auth.middleware.AuthenticationMiddleware', 'django.contrib.messages.middleware.MessageMiddleware', 'django.middleware.clickjacking.XFrameOptionsMiddleware', 'portal.middleware.SamlSessionMiddleware', 'corsheaders.middleware.CorsMiddleware', ]

SESSION_ENGINE = "portal.session" SESSION_REDIS = { 'host': 'redis', 'port': 6379, 'db': 0, 'prefix': 'session', 'socket_timeout': 1, 'retry_on_timeout': False }

peppelinux commented 1 year ago

It must be on https, otherwise allow unsolicited_responses in the pysaml2 configuration

Shaochun-Chao commented 1 year ago

I've set allow_unsolicited = True in the SAML_CONFIG. The interesting part is why my code works in the Firefox browser but not in Chrome browser. Is there any reason why you have to set Samesite as a string "None".

peppelinux commented 1 year ago

it's a security policy of chrome, that's all

to avoid troubles you shouldn't use http but only https, secure the cookies and disable samesite for the saml2 cookie

Shaochun-Chao commented 1 year ago

That make sense, I will implement my project on the https in the future. Thank you for your help.