Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[Bug]: session cookie is missing in Chrome and Safari #27

Open
1 task done
thomasleplus opened this issue May 7, 2024 · 4 comments
Open
1 task done

[Bug]: session cookie is missing in Chrome and Safari #27

thomasleplus opened this issue May 7, 2024 · 4 comments
Assignees
@thomasleplus
Labels
bug Something isn't working

Comments

@thomasleplus
Copy link
Member

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

It seems that Firefox accepts the session cookie with flag SameSite=None with a warning but not Chrome or Safari. Chrome says:

Cookies marked with SameSite=None must also be marked with Secure to allow setting them in a cross-site context. This behavior protects user data from being sent over an insecure connection.
Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests.

As a result, the OIDC flow ends in an internal server error 500 and the following message in the debugger log: "error opening session".

Expected Behavior

No internal server error.

version

v1.25.3-2

Relevant log output

"error opening session"

Steps To Reproduce

Just use a recent version of Chrome or Safari.

Anything else?

No response
@thomasleplus thomasleplus added the bug Something isn't working label May 7, 2024
@thomasleplus thomasleplus self-assigned this May 7, 2024
@thomasleplus thomasleplus mentioned this issue May 7, 2024
Closed
1 task
@thomasleplus
Copy link
Member Author

The issue was initially reported by @jawabuu, see #24 (comment).

@thomasleplus
Copy link
Member Author

@jawabuu I have a fix: apparently setting the Secure flag on the cookie is sufficient and it seems the cookie is sent to localhost despite the fact that TLS is not used. That should solve the issue for now (although the long-term solution is probably to support TLS, I will create a separate issue for that). I need a couple of hours to find the time to test the fix with different browsers and to release. I will let you know when it's done.

@jawabuu
Copy link

jawabuu commented May 7, 2024

@thomasleplus So I tried it on a server with https redirect_uri

2024/05/07 15:55:11 [debug] 6#6: *5 [lua] openidc.lua:556: openidc_discover(): openidc_discover: URL is: https://auth.example.com/.well-known/openid-configuration
2024/05/07 15:55:11 [debug] 6#6: *5 [lua] openidc.lua:107: openidc_cache_get(): cache hit: type=discovery key=https://auth.example.com/.well-known/openid-configuration
2024/05/07 15:55:11 [debug] 6#6: *5 [lua] openidc.lua:674: openidc_get_token_auth_method(): 1 => client_secret_post
2024/05/07 15:55:11 [debug] 6#6: *5 [lua] openidc.lua:677: openidc_get_token_auth_method(): no configuration setting for option so select the first supported method specified by the OP: client_secret_post
2024/05/07 15:55:11 [debug] 6#6: *5 [lua] openidc.lua:691: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2024/05/07 15:55:11 [debug] 6#6: *5 [lua] openidc.lua:1551: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
10.42.0.151 - - [07/May/2024:15:55:11 +0000] "GET /debug HTTP/1.1" 302 151 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
2024/05/07 15:55:39 [error] 6#6: *5 lua entry thread aborted: runtime error: access_by_lua(/etc/nginx/conf.d/default.conf:40):5: attempt to concatenate field 'cookie_session' (a nil value)
stack traceback:
coroutine 0:
        access_by_lua(/etc/nginx/conf.d/default.conf:40): in main chunk, client: 10.42.0.151, server: localhost, request: "GET /login?code=cYO2iky5urTtXYIpXCLKiKJMfeVsfmXLKo_PJKvwCIQ.otORxcIsi2k8-Z8qM1tcncZejFF
5RgWM1Er1Hfm3Psg&scope=openid%20email%20profile&state=d1f01e26d4c4f3f10713e862354ad346 HTTP/1.1", host: "openid.prod.chura.co.ke", referrer: "https://www.example.com/"
10.42.0.151 - - [07/May/2024:15:55:39 +0000] "GET /login?code=cYO2iky5urTtXYIpXCLKiKJMfeVsfmXLKo_PJKvwCIQ.otORxcIsi2k8-Z8qM1tcncZejFF5RgWM1Er1Hfm3Psg&scope=openid%20email%20profile&state=d1f01e26d4c4f3f10713e86
2354ad346 HTTP/1.1" 500 585 "https://www.example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"

@thomasleplus
Copy link
Member Author

Sorry I wasn't clear. The issue is that the page starting the OpenID Connect flow (http://localhost:8080/debug) is not using https so the session cookie that it sets is discarded. That's why you get the error that 'cookie_session' is nil (missing).

The fix that I found is to set the Secure flag on the cookie. Then it is saved even though the page is not https. At least for Chrome. But Safari has a peculiar bug (at least IMHO): it does not save cookies received in redirection response. I didn't know that but it is well documented:

I will try to think about a workaround but for now I have pushed the fix that works for Chrome. I hope that will help.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@thomasleplus thomasleplus

Labels
bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

When branches are created from issues, their pull requests are automatically linked.

27-bug-session-cookie-is-missing-in-chrome-and-safari leplusorg/openid-connect-provider-debugger
2 participants
@thomasleplus @jawabuu