Closed joszz closed 2 years ago
@joszz I've run into a similar issue with the C# client. The examples are purposely simplistic around the mechanism to store the state and username, because of this very issue - the best way to persist that information will definitely vary depending on the web application's architecture and security controls. Do you have a suggestion for a note that we could add after
Store it in the session to be later used by the callback.
to make it clear to developers?
hmm, not so easy to come up with something to the point :) Maybe something like; _Note that a session relies on a cookie. Cookies might not be sent, for example when PHP ini setting session.cookiesamesite is set to "Strict"
How about
This example demonstrates use of the http session (cookies) for storing the state. In some applications, CORS or strict cookie controls will mean a different mechanism to persist the state and username will be necessary
I could be missing something here, but I do not see CORS impacting the functionality. This new API is not made to be accessed through async javascript requests, or is it? CORS has only impact on such APIs
We've had reports on some of the other languages' repos about CORS issues, from people that are using it from XHR requests. Though actually, that affects the redirect behavior and not the session storage, so it probably doesn't belong here anyway.
So maybe just
This example demonstrates use of the http session (cookies) for storing the state. In some applications, strict cookie controls or other session security measures will mean a different mechanism to persist the state and username will be necessary
hmm curious now about the async requests, might look into that :) The comment looks good to me!
Check out https://github.com/duosecurity/duo_universal_python/issues/1 re the CORS issue. We've also had folks contact our support team about it too.
I'll try to get the comment update in soon.
Added comment from above to example. Commit https://github.com/duosecurity/duo_universal_php/commit/e108fc91a41b6a1784fc8558297a9de6d6f0c589
The examples do not work when PHP is configured with; session.cookie_samesite = "Strict"
Which makes sense since the callback URL is originating from the DUO servers, and strict is preventing cookies from being sent when this is the case. Maybe a note about this is in place? A workaround could be storing state in a DB.