search

nodeSolidServer / node-solid-server

Solid server on top of the file-system in NodeJS
https://solidproject.org/for-developers/pod-server
Other
1.78k stars 303 forks source link

Cookie not set with SameSite attribute #1463

Open josephguillaume opened 4 years ago

josephguillaume commented 4 years ago

As noted on solid-auth-client https://github.com/solid/solid-auth-client/issues/151, Chrome is requiring third party cookies to be set with SameSite=None and Secure. While this setting is not yet active on desktop, it is active on Android and therefore breaks all Solid apps using the nssidp.sid cookie from .solid.community. This can still be bypassed by disabling chrome://flags/#same-site-by-default-cookies. Presumably non-cookie based authentication doesn't have this issue but I'm not sure it's possible to turn off cookie-based authentication at the moment (https://github.com/solid/node-solid-server/issues/672)

I'm not an expert, but it appears the change required is in the definition of the express-session settings https://github.com/solid/node-solid-server/blob/master/lib/create-app.js#L305 https://www.npmjs.com/package/express-session#cookiesamesite

It may be sufficient to simply use:

    cookie: {
      maxAge: 24 * 60 * 60 * 1000,
      sameSite:'None'
    }

It seems that http connections should also be completely dropped for authenticated sessions because the third party cookie won't be sent without cookie.secure=true anyway.

michielbdejong commented 4 years ago

This same bug also reported in https://gitter.im/solid/chat?at=5f4e21ef9bad075eacef0d8c

michielbdejong commented 4 years ago

Hm, I have no problem opening https://otto-aa.github.io/solid-filemanager/?url=https://michielbdejong.solid.community/public in Chrome 84 on Mac OS, or Chrome on Android. I'll try updating Chrome on my Android to the latest version.

josephguillaume commented 4 years ago

Is that meant to be a private resource? The cookie is not needed to access public resources, as far as I know.

michielbdejong commented 4 years ago

Hm, even with Chrome 85 on Android I can't reproduce any problem. I set chrome://flags/#same-site-by-default-cookies to Enabled in my Chrome on Mac OS, will see if that helps to reproduce it.

tsojcanth commented 4 years ago

I can't replicate anymore on either chrome 85 and firefox 80.

SETUP: I had logged in my app through solid with solid-auth-client on chrome pre-85. The error persisted even after the update to 85.

FIX: clearing cookies and local storage on both the app site and solid. Hitting the logoff button on my pod on solid.community was not effective.

I wonder if somehow solid-auth-client might be at fault for not handling its own inconsistencies?

josephguillaume commented 4 years ago

I'm not sure if something's changes in solid-auth-client, but it looks like it's now able to bypass the cookie failure.

Essentially the effect of this issue is that the browser never sends the nssidp.sid cookie in requests because the browser doesn't accept the set-cookie header from the nss response, i.e. it's maybe a performance issue, but as long as the client has a workaround, things still work.

timbl commented 4 years ago

But this needs to be specified in the solid spec.

michielbdejong commented 4 years ago

cc @csarven ^