search

duosecurity / duo_universal_php

Duo OIDC-based two-factor authentication for PHP web applications
https://duo.com/docs/duoweb
BSD 3-Clause "New" or "Revised" License
21 stars 12 forks source link

Problem with session.cookie_samesite = "Strict" #2

Closed joszz closed 2 years ago

joszz commented 2 years ago

The examples do not work when PHP is configured with; session.cookie_samesite = "Strict"

Which makes sense since the callback URL is originating from the DUO servers, and strict is preventing cookies from being sent when this is the case. Maybe a note about this is in place? A workaround could be storing state in a DB.

AaronAtDuo commented 2 years ago

@joszz I've run into a similar issue with the C# client. The examples are purposely simplistic around the mechanism to store the state and username, because of this very issue - the best way to persist that information will definitely vary depending on the web application's architecture and security controls. Do you have a suggestion for a note that we could add after

Store it in the session to be later used by the callback.

to make it clear to developers?

joszz commented 2 years ago

hmm, not so easy to come up with something to the point :) Maybe something like; _Note that a session relies on a cookie. Cookies might not be sent, for example when PHP ini setting session.cookiesamesite is set to "Strict"

AaronAtDuo commented 2 years ago

How about

This example demonstrates use of the http session (cookies) for storing the state. In some applications, CORS or strict cookie controls will mean a different mechanism to persist the state and username will be necessary

joszz commented 2 years ago

I could be missing something here, but I do not see CORS impacting the functionality. This new API is not made to be accessed through async javascript requests, or is it? CORS has only impact on such APIs

AaronAtDuo commented 2 years ago

We've had reports on some of the other languages' repos about CORS issues, from people that are using it from XHR requests. Though actually, that affects the redirect behavior and not the session storage, so it probably doesn't belong here anyway.

So maybe just

This example demonstrates use of the http session (cookies) for storing the state. In some applications, strict cookie controls or other session security measures will mean a different mechanism to persist the state and username will be necessary

joszz commented 2 years ago

hmm curious now about the async requests, might look into that :) The comment looks good to me!

AaronAtDuo commented 2 years ago

Check out https://github.com/duosecurity/duo_universal_python/issues/1 re the CORS issue. We've also had folks contact our support team about it too.

I'll try to get the comment update in soon.

AaronAtDuo commented 2 years ago

Added comment from above to example. Commit https://github.com/duosecurity/duo_universal_php/commit/e108fc91a41b6a1784fc8558297a9de6d6f0c589