Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

Support for SameSite cookies

See original GitHub issue

SameSite cookies are already supported by Chrome and Firefox, but at the moment not enabled by default. When enabled (tested with Chrome 76 beta), the SAML authentication breaks. Namely, when the IdP uses the SAML HTTP-POST binding to send the SAML Response back to the SATOSA backend and SameSite cookies are enabled, the SATOSA cookie will not be included in the POST request and SATOSA will fail.

This is not an immediate problem, but it will become a problem when/if browsers turn on SameSite cookies by default.

Code Version

master

Expected Behavior

When SATOSA creates the state cookie, it should have SameSite set to None

Current Behavior

There is no support for SameSite. The change for SATOSA is trivial, but the problem is that the python http library also has to support SameSite cookies. SameSite cookie support has been added to the python 3.8 branch

Possible Solution

Wait for python 3.8 and then add support for SameSite cookies in state.py. In the meantime, for SATOSA deployments that are behind an HTTP reverse proxy, the problem can be mitigated by setting the cookie parameters in the HTTP reverse proxy.

For nginx the following directive does the trick:

proxy_cookie_path ~(/*) "$1; SameSite=None";

Steps to Reproduce

Download Chrome 76 beta
Go to chrome://flags
Enable “SameSite by default cookies”
Clear all cookies
Use SATOSA to authenticate to a SAML IdP (The domain of the IdP has to be different from the domain of the SATOSA instance)

References

Issue Analytics

State:
Created 4 years ago
Comments:11 (6 by maintainers)

Top GitHub Comments

2reactions

andrewsalicommented, Feb 3, 2020

There is however a browser independent solution as recommended by Google and referenced in the Auth0 article. SATOSA needs to send 2 cookies, one SATOSA_STATE (with Samesite=None and Secure) and one SATOSA_STATE_LEGACY with the latter being sent with the current settings. Then SATOSA needs to check when parseing the cookie if SATOSA_STATE exists (should for new browsers), if not then try parsing SATOSA_STATE_LEGACY (which will make it work with old Safari, etc…).

I see the point with respect to Python 3.8, however I think this fix will become necessary as Chrome is such a dominant browser.

1reaction

c00kiemon5tercommented, Feb 3, 2020

That actually sounds like a great solution. I will try to put something along those lines soon. Thanks for bringing this up 😉

Top Results From Across the Web

'SameSite' cookie attribute | Can I use... Support ... - CanIUse

'SameSite' cookie attribute ... Same-site cookies ("First-Party-Only" or "First-Party") allow servers to mitigate the risk of CSRF and information leakage attacks ...

SameSite cookies - HTTP - MDN Web Docs

SameSite cookies. Secure context: This feature is available only in secure contexts (HTTPS), in some or all supporting browsers.

Get Ready for New SameSite=None; Secure Cookie Settings

Same-site cookies are commonly used to keep people logged into individual websites, remember their preferences and support site analytics.

SameSite cookies explained - web.dev

Learn how to mark your cookies for first-party and third-party usage with the SameSite attribute. You can enhance your site's security by ...

SameSite | OWASP Foundation

SameSite prevents the browser from sending this cookie along with cross-site requests. The main goal is to mitigate the risk of cross-origin information ......