Open josephguillaume opened 4 years ago
This same bug also reported in https://gitter.im/solid/chat?at=5f4e21ef9bad075eacef0d8c
Hm, I have no problem opening https://otto-aa.github.io/solid-filemanager/?url=https://michielbdejong.solid.community/public in Chrome 84 on Mac OS, or Chrome on Android. I'll try updating Chrome on my Android to the latest version.
Is that meant to be a private resource? The cookie is not needed to access public resources, as far as I know.
Hm, even with Chrome 85 on Android I can't reproduce any problem. I set chrome://flags/#same-site-by-default-cookies
to Enabled in my Chrome on Mac OS, will see if that helps to reproduce it.
I can't replicate anymore on either chrome 85 and firefox 80.
SETUP: I had logged in my app through solid with solid-auth-client on chrome pre-85. The error persisted even after the update to 85.
FIX: clearing cookies and local storage on both the app site and solid. Hitting the logoff button on my pod on solid.community was not effective.
I wonder if somehow solid-auth-client might be at fault for not handling its own inconsistencies?
I'm not sure if something's changes in solid-auth-client, but it looks like it's now able to bypass the cookie failure.
Essentially the effect of this issue is that the browser never sends the nssidp.sid
cookie in requests because the browser doesn't accept the set-cookie header from the nss response, i.e. it's maybe a performance issue, but as long as the client has a workaround, things still work.
But this needs to be specified in the solid spec.
cc @csarven ^
As noted on solid-auth-client https://github.com/solid/solid-auth-client/issues/151, Chrome is requiring third party cookies to be set with
SameSite=None
andSecure
. While this setting is not yet active on desktop, it is active on Android and therefore breaks all Solid apps using thenssidp.sid
cookie from.solid.community
. This can still be bypassed by disablingchrome://flags/#same-site-by-default-cookies
. Presumably non-cookie based authentication doesn't have this issue but I'm not sure it's possible to turn off cookie-based authentication at the moment (https://github.com/solid/node-solid-server/issues/672)I'm not an expert, but it appears the change required is in the definition of the express-session settings https://github.com/solid/node-solid-server/blob/master/lib/create-app.js#L305 https://www.npmjs.com/package/express-session#cookiesamesite
It may be sufficient to simply use:
It seems that http connections should also be completely dropped for authenticated sessions because the third party cookie won't be sent without
cookie.secure=true
anyway.