Open ivan-redooc opened 4 years ago
I think good idea use php.ini
config for session cookies, not application config
; http://php.net/session.cookie-secure
session.cookie_secure = 1
; Whether or not to add the httpOnly flag to the cookie, which makes it
; inaccessible to browser scripting languages such as JavaScript.
; http://php.net/session.cookie-httponly
session.cookie_httponly = 1
; Add SameSite attribute to cookie to help mitigate Cross-Site Request Forgery (CSRF/XSRF)
; Current valid values are "Lax" or "Strict"
; https://tools.ietf.org/html/draft-west-first-party-cookies-07
session.cookie_samesite = 'Strict'
Ok, lets go.
If you use samesite = Strict
cookie renew if you come to site with redirect from another domain (OAuth authorization is this). OAuth is supported extra key - state, for checking CSRF when you return from authorization server. Before redirect state saved in session by default, implemented StateStorageInterface and after come back from OAuth server state checked.
But if samesite = Strict
and come back with new session cookie and there is no state param.
'components' => [
'authClientCollection' => [
'class' => 'yii\authclient\Collection',
'clients' => [
'facebook' => [
'class' => 'yii\authclient\clients\Facebook',
'clientId' => 'clientId',
'clientSecret' => 'clientSecret',
'validateAuthState' => false
],
'google' => [
'class' => 'yii\authclient\clients\Google',
'clientId' => 'clientId.apps.googleusercontent.com',
'clientSecret' => 'clientSecret',
'validateAuthState' => false
]
]
]
]
Set session.cookie_samesite = 'Lax'
Make new implementation of StateStorageInterface
If you are facing login concern due to Identify Cookies, for the PHP version < 7.3, you can set the value of sameSite Attribute None as:
Edit your main.php file pass the value of sameSite in variable path as:
'identityCookie' => [
'name' => 'cookiename',
'httpOnly' => true**
'path' => '/;SameSite=None',
'secure' => true
]
And for session cookie, modify the cookieParam as:
'cookieParams' => [
'lifetime' => time()60,
'httpOnly' => true,
'secure'=>true,
'path' => '/;SameSite=None'
]
Note: You may need to edit the file:
yii\web\Cookie, by updating the value of $path from '/' to '/;SameSite=None'.
I hope this will help.
In main.php set-up the attributes to session cookie.
The sameSite attibute to strict:
I expect to login with my social buttons (eg: google and facebook)
The login process works well, but I'm not logged after it.
Using sameSite value to lax everything work well.
If I understood correctly the situation this could be totally fine, I mean, not a code problem, but I think this situation has to be documented.