Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookie not set with SameSite attribute #1463

Open
josephguillaume opened this issue Aug 8, 2020 · 8 comments
Open

Cookie not set with SameSite attribute #1463

josephguillaume opened this issue Aug 8, 2020 · 8 comments

Comments

@josephguillaume
Copy link

josephguillaume commented Aug 8, 2020
edited
Loading

As noted on solid-auth-client nodeSolidServer/solid-auth-client#151, Chrome is requiring third party cookies to be set with SameSite=None and Secure. While this setting is not yet active on desktop, it is active on Android and therefore breaks all Solid apps using the nssidp.sid cookie from .solid.community.
This can still be bypassed by disabling chrome://flags/#same-site-by-default-cookies.
Presumably non-cookie based authentication doesn't have this issue but I'm not sure it's possible to turn off cookie-based authentication at the moment (#672)

I'm not an expert, but it appears the change required is in the definition of the express-session settings
https://github.com/solid/node-solid-server/blob/master/lib/create-app.js#L305
https://www.npmjs.com/package/express-session#cookiesamesite

It may be sufficient to simply use:

    cookie: {
      maxAge: 24 * 60 * 60 * 1000,
      sameSite:'None'
    }

It seems that http connections should also be completely dropped for authenticated sessions because the third party cookie won't be sent without cookie.secure=true anyway.
@josephguillaume josephguillaume mentioned this issue Aug 8, 2020
Open
@michielbdejong
Copy link
Member

This same bug also reported in https://gitter.im/solid/chat?at=5f4e21ef9bad075eacef0d8c

@michielbdejong
Copy link
Member

Hm, I have no problem opening https://otto-aa.github.io/solid-filemanager/?url=https://michielbdejong.solid.community/public in Chrome 84 on Mac OS, or Chrome on Android. I'll try updating Chrome on my Android to the latest version.

@josephguillaume
Copy link
Author

Is that meant to be a private resource?
The cookie is not needed to access public resources, as far as I know.

@michielbdejong
Copy link
Member

Hm, even with Chrome 85 on Android I can't reproduce any problem. I set chrome://flags/#same-site-by-default-cookies to Enabled in my Chrome on Mac OS, will see if that helps to reproduce it.

@tsojcanth
Copy link

tsojcanth commented Sep 2, 2020
edited
Loading

I can't replicate anymore on either chrome 85 and firefox 80.

SETUP: I had logged in my app through solid with solid-auth-client on chrome pre-85. The error persisted even after the update to 85.

FIX: clearing cookies and local storage on both the app site and solid. Hitting the logoff button on my pod on solid.community was not effective.

I wonder if somehow solid-auth-client might be at fault for not handling its own inconsistencies?

@josephguillaume
Copy link
Author

I'm not sure if something's changes in solid-auth-client, but it looks like it's now able to bypass the cookie failure.

Essentially the effect of this issue is that the browser never sends the nssidp.sid cookie in requests because the browser doesn't accept the set-cookie header from the nss response, i.e. it's maybe a performance issue, but as long as the client has a workaround, things still work.

@timbl
Copy link
Contributor

timbl commented Sep 27, 2020

But this needs to be specified in the solid spec.

@michielbdejong
Copy link
Member

cc @csarven ^

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
4 participants
@michielbdejong @josephguillaume @timbl @tsojcanth