search

zopefoundation / Products.PluggableAuthService

Pluggable Zope authentication / authorization framework
Other
9 stars 18 forks source link

Set the Cookie Auth Helper cookies with ``SameSite`` set to ``Strict`` #114

Closed dataflake closed 2 years ago

dataflake commented 2 years ago

This cookie flag is not currently set, which causes modern browsers to show warnings at the console. Such cookies may be rejected in the future and break the Cookie Auth Helper. See https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/ for information about the SameSite cookie attribute and why its handling in browsers is changing.

I hardcoded Strict because authentication cookies should never be sent anywhere but to the originating site.

dataflake commented 2 years ago

While SameSite=Strict is a good default, I think we should have a way to override it: the site of one of my clients is e.g. sometimes "embedded" (i.e. shown in a frame); for those (rare) cases, it should be possible to use Lax or even None. We already have the possibility to override cookie parameters (defining a customized ICookieParamPolicy utility); maybe, this is enough even though it is not exposed.

Just so I understand the situation: so you're saying the main site sets the cookie but it should also be sent to the embedded site because it's using the same authentication cookie (but doesn't set it itself)?

d-maurer commented 2 years ago

Jens Vagelpohl wrote at 2022-9-20 00:00 -0700:

While SameSite=Strict is a good default, I think we should have a way to override it: the site of one of my clients is e.g. sometimes "embedded" (i.e. shown in a frame); for those (rare) cases, it should be possible to use Lax or even None. We already have the possibility to override cookie parameters (defining a customized ICookieParamPolicy utility); maybe, this is enough even though it is not exposed.

Just so I understand the situation: so you're saying the main site sets the cookie but it should also be sent to the embedded site because it's using the same authentication cookie (but doesn't set it itself)?

No. If a side is embedded in a (foreign) frame, all its cookies are considered third party -- and not sent with SameSite=Strict. With this setting, the embedded site would not be able to set up an authentication session (even though it performs the authentication itself).

dataflake commented 2 years ago

@d-maurer I have now made the SameSite flag (and the Secure flag as they can influence each other) configurable from the ZMI. Please take another look.

d-maurer commented 2 years ago

@d-maurer I have now made the SameSite flag (and the Secure flag as they can influence each other) configurable from the ZMI. Please take another look.

Good for me.