yiisoft / yii2-authclient

Yii 2 authclient extension.
http://www.yiiframework.com
BSD 3-Clause "New" or "Revised" License
461 stars 246 forks source link

SameSite "strict" attribute to session cookie inhibits from login with yii2-authclients #294

Open ivan-redooc opened 4 years ago

ivan-redooc commented 4 years ago

In main.php set-up the attributes to session cookie.
The sameSite attibute to strict:

        'session'      => [
            'class'        => 'yii\web\CacheSession',
            'name'         => 'mysession',
            'timeout'      => 86400,
            'useCookies'   => true,
            'cookieParams' => [
                'httponly' => true,
                'secure' => true,
                 'sameSite' => yii\web\Cookie::SAME_SITE_STRICT,
            ],
        ],

I expect to login with my social buttons (eg: google and facebook)

The login process works well, but I'm not logged after it.

Using sameSite value to lax everything work well.

If I understood correctly the situation this could be totally fine, I mean, not a code problem, but I think this situation has to be documented.

Q A
Yii version 2.0.31
Yii Auth Client version 2.2.4
Yii HTTP Client version 2.0.11
PHP version 7.3
Operating system Linux ubuntu 64bit
DeryabinSergey commented 4 years ago

I think good idea use php.ini config for session cookies, not application config

; http://php.net/session.cookie-secure
session.cookie_secure = 1

; Whether or not to add the httpOnly flag to the cookie, which makes it
; inaccessible to browser scripting languages such as JavaScript.
; http://php.net/session.cookie-httponly
session.cookie_httponly = 1

; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF)
; Current valid values are "Lax" or "Strict"
; https://tools.ietf.org/html/draft-west-first-party-cookies-07
session.cookie_samesite = 'Strict'

Ok, lets go.

If you use samesite = Strict cookie renew if you come to site with redirect from another domain (OAuth authorization is this). OAuth is supported extra key - state, for checking CSRF when you return from authorization server. Before redirect state saved in session by default, implemented StateStorageInterface and after come back from OAuth server state checked.

But if samesite = Strict and come back with new session cookie and there is no state param.

  1. Bad idea is disable checking state by adding key in config. This solition is weak.
    'components' => [
        'authClientCollection' => [
              'class' => 'yii\authclient\Collection',
              'clients' => [
                    'facebook' => [
                        'class' => 'yii\authclient\clients\Facebook',
                        'clientId' => 'clientId',
            'clientSecret' => 'clientSecret',
                        'validateAuthState' => false
                    ],
                    'google' => [
                        'class' => 'yii\authclient\clients\Google',
                        'clientId' => 'clientId.apps.googleusercontent.com',
                        'clientSecret' => 'clientSecret',
                        'validateAuthState' => false
                    ]
              ]
        ]
    ]
  1. Set session.cookie_samesite = 'Lax'

  2. Make new implementation of StateStorageInterface

VishalRKumar commented 4 years ago

If you are facing login concern due to Identify Cookies, for the PHP version < 7.3, you can set the value of sameSite Attribute None as:

Edit your main.php file pass the value of sameSite in variable path as:

        'identityCookie' => [
             'name' => 'cookiename',
                 'httpOnly' => true**
                 'path' => '/;SameSite=None',
                 'secure' => true
         ]

And for session cookie, modify the cookieParam as:

    'cookieParams' => [
               'lifetime' => time()60,
               'httpOnly' => true,
              'secure'=>true,
             'path' => '/;SameSite=None'
    ]

Note: You may need to edit the file:

yii\web\Cookie, by updating the value of $path from '/' to '/;SameSite=None'.

I hope this will help.