search

TryGhost / Ghost

Independent technology for modern publishing, memberships, subscriptions and newsletters.
https://ghost.org
MIT License
47.46k stars 10.35k forks source link

Make this site private - not working in Chrome and Opera #17514

Open joe-blocher opened 1 year ago

joe-blocher commented 1 year ago

Issue Summary

Change or delete the row 58: versions/5.54.4/core/frontend/apps/private-blogging/lib/middleware.js

return session({
            name: 'ghost-private',
            maxAge: constants.ONE_MONTH_MS,
            signed: false,
            sameSite: 'lax'     <----- row 58: instead of 'none' or delete row
        })(req, res, next);

Or you can delete the row 58 because sameSite: 'Lax' is the default value. You can't code 'secure' within an object - secure: true will not work.

Works now in Chrome and Opera. See https://web.dev/i18n/en/samesite-cookies-explained x (1) Mark cross-site cookies as Secure to allow setting them in cross-site contexts

Steps to Reproduce

See https://forum.ghost.org/t/make-this-site-private-not-working/39938/1

Ghost Version

5.54.4

Node.js Version

v18.15.0

How did you install Ghost?

local, macos

Database type

SQLite3

Browser & OS version

No response

Relevant log / error output

No response

Code of Conduct

joe-blocher commented 1 year ago

Maybe you can implement, like the 'ghost-admin-api-session': versions/5.54.4/core/server/services/auth/session/express-session.js

function getExpressSessionMiddleware() {
            ...
           name: 'ghost-admin-api-session',
            cookie: {
                maxAge: constants.SIX_MONTH_MS,
                httpOnly: true,
                path: urlUtils.getSubdir() + '/ghost',
                sameSite: urlUtils.isSSL(config.get('url')) ? 'none' : 'lax',
                secure: urlUtils.isSSL(config.get('url'))
            }
        });
    }
    return unoExpressSessionMiddleware;
}
github-actions[bot] commented 1 year ago

This issue is currently awaiting triage from @daniellockyer. We're having a busy time right now, but we'll update this issue ASAP. If you have any more information to help us triage faster please leave us some comments. Thank you for understanding ๐Ÿ™‚

joe-blocher commented 1 year ago

In core/frontend/apps/private-blogging/lib/middleware.js:

ยดยดยด const privateBlogging = {

    โ€ฆ
    return session({
        name: 'ghost-private',
        maxAge: constants.ONE_MONTH_MS,
        signed: false,
  //      sameSite: 'none'    <โ€”โ€”โ€” replace this with 2 lines below 
          sameSite: urlUtils.isSSL(config.get('url')) ? 'none' : 'lax',
          secure: urlUtils.isSSL(config.get('url'))
    })(req, res, next);
},

ยดยดยด

and all is fine! Implement in the same way as you did in core/server/services/auth/session/express-session.js

github-actions[bot] commented 1 year ago

This issue is currently awaiting triage from @daniellockyer. We're having a busy time right now, but we'll update this issue ASAP. If you have any more information to help us triage faster please leave us some comments. Thank you for understanding ๐Ÿ™‚

daniellockyer commented 1 year ago

Hey there, thank you so much for the detailed bug report.

That does look like something that shouldn't happen! A PR to fix this issue would be very welcome ๐Ÿ™‚

joe-blocher commented 1 year ago

I have made the PR

hussainb commented 1 year ago

Hi, I am facing the same issue in the latest version of Ghost, unable to login to the private site using Chrome based browsers.

joe-blocher commented 1 year ago

It's nearly three month later ... an nothing happened. But for me it closed, because I'm working locally :-) https://forum.ghost.org/t/make-this-site-private-not-working/39938

hussainb commented 1 year ago

It's nearly three month later ... an nothing happened. But for me it closed, because I'm working locally :-) https://forum.ghost.org/t/make-this-site-private-not-working/39938

yeah, they didn't care to merge it. but I appreciate you for your troubleshooting and the fix.

I think just a rerun would be required to pass the build, otherwise the PR is already approved:

https://github.com/TryGhost/Ghost/actions/runs/6057836235/job/16821076886?pr=17938 image

joe-blocher commented 1 year ago

I have made my first PR. I think the 2. one failed: Merge branch 'main' into joe-blocher-patch-1 https://github.com/TryGhost/Ghost/pull/17938/commits/ae0f64eb578f4aa43248da1b3e807a1f0c3b9bef

I don't really know what is for and how I can delete this PR...

Am 16.10.2023 um 08:45 schrieb Hussain @.***>:

It's nearly three month later ... an nothing happened. But for me it closed, because I'm working locally :-) https://forum.ghost.org/t/make-this-site-private-not-working/39938 https://forum.ghost.org/t/make-this-site-private-not-working/39938 yeah, they didn't care to merge it. but I appreciate you for your troubleshooting and the fix.

I think just a rerun would be required to pass the build, otherwise the PR is already approved:

https://github.com/TryGhost/Ghost/actions/runs/6057836235/job/16821076886?pr=17938 https://github.com/TryGhost/Ghost/actions/runs/6057836235/job/16821076886?pr=17938 https://user-images.githubusercontent.com/4962633/275414297-2abc6c33-ed0c-442d-9e81-9cdbd0e405cd.png โ€” Reply to this email directly, view it on GitHub https://github.com/TryGhost/Ghost/issues/17514#issuecomment-1763832578, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWHNLAX5ONSU2FFFUG6MRN3X7TJZDANCNFSM6AAAAAA2ZM7QIU. You are receiving this because you modified the open/close state.

hussainb commented 1 year ago

Maybe @daniellockyer can help

joe-blocher commented 6 months ago

You did't fix the error: Make this site private - not working not working in Chrome and Opera

Bildschirmfoto 2024-04-18 um 10 34 22 Bildschirmfoto 2024-04-18 um 10 35 30

SOLUTION - it told you in August 2023 and I have made the PR!

versions/5.82.2/core/frontend/apps/private-blogging/lib/middleware.js

`const privateBlogging = { ....

    return session({
        name: 'ghost-private',
        maxAge: constants.ONE_MONTH_MS,
        signed: false,

        sameSite:   urlUtils.isSSL(config.get('url')) ? 'none' : 'lax',  <------------ insert this
        secure: urlUtils.isSSL(config.get('url'))  <------------------------------ insert this
        //sameSite: 'none' <------------------------------------------  row 58: remove
    })(req, res, next);
},`
joe-blocher commented 6 months ago

The pull request still not merged in version 5.82.2: Fixed private mode cookie for local development #17938

Why not?

vikaspotluri123 commented 6 months ago

What makes you say the PR wasn't merged? The commit shows that it's been in releases starting from 5.70.0.

joe-blocher commented 6 months ago

I've downloaded the code: versions/5.82.2/core/frontend/apps/private-blogging/lib/middleware.js But the code is still the same: return session({ name: 'ghost-private', maxAge: constants.ONE_MONTH_MS, signed: false, sameSite: 'none' <------------------------------------------ why this? })(req, res, next); },

vikaspotluri123 commented 6 months ago

The code being the same does not mean your PR was not merged. In this case it looks like this change ended up possibly breaking something else so it was reverted:

https://github.com/TryGhost/Ghost/pull/19298

davedub commented 6 months ago

The code being the same does not mean your PR was not merged. In this case it looks like this change ended up possibly breaking something else so it was reverted:

19298

OK so that means it is still a problem. I am running 5.79.6 (released Feb 26) and cannot make the site private because of this bug. What's the ETA on solving this?

joe-blocher commented 6 months ago

The code being the same does not mean your PR was not merged. In this case it looks like this change ended up possibly breaking something else so it was reverted:

19298

OK so that means it is still a problem. I am running 5.79.6 (released Feb 26) and cannot make the site private because of this bug. What's the ETA on solving this?

My solution: I change always the code by myself, when I install an update. You have to change only 2 lines. The first time I reported the solution in August 2023. Maybe they will fix the bug sometimes ...

TheLaurenBarger commented 5 months ago

Hey guys, any update on this one? I couldn't access the links behind why the commit was reverted. So not sure on the details or complexity of the bug, is there any progress towards figuring it out? Thanks, and I'm a huge Ghost fan ๐Ÿ˜Š

joe-blocher commented 3 months ago

Downloaded version 5.89.1 - this bug still not fixed

You have to change only 2 lines in your code. The first time I reported the solution in August 2023. Why this is impossible?

Grasume commented 1 month ago

@daniellockyer this is disappointing that this is still an issue exp with docker involved.

kilmarnock commented 2 weeks ago

I can confirm that I have no access via chromium, chrome, anonymouse and edge. Works with firefox. Will tell that to my customers not. Version is 5.91.0, in a docker container.