-
Notifications
You must be signed in to change notification settings - Fork 256
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Session cookie need to be visible to OP IFrame Javascript script. #731
Conversation
Even if no back-/frontchannel logout is defined the session cookie should be removed.
src/oic/oauth2/provider.py
Outdated
def write_session_cookie(self, value): | ||
return make_cookie(self.session_cookie_name, value, self.seed, path="/") | ||
def write_session_cookie(self, value, http_only=True): | ||
return make_cookie(self.session_cookie_name, value, self.seed, path="/", httponly=http_only) |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
If IFrames are the usecase, we might want to handle SameSite settings for cookies as well.
Otherwise it will probably break with newer browsers like Chrome 80 that implement SameSite=Lax by default.
(https://chromestatus.com/features#samesite),
https://textslashplain.com/2019/09/30/same-site-cookies-by-default/
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
IFrames is the use case. I'll look at SameSite. Any preference as how to handle it ?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
The make_cookie() method should handle and explitly set a SameSite value. This may requires monkey patching the Cookie class of Python (see Beaker/Cookie class), as it is only supported in 3.8+.
The patch is like this:
from http_cookies import Morsel Morsel._reserved[str('samesite')] = str('SameSite')
In IFrames usage the only value for SameSite that works properly is 'None'.
https://web.dev/samesite-cookie-recipes/
or mentioning it might break OpenID connect logins:
https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/
Ran isort, blacken, mypy and pylama.
Codecov Report
@@ Coverage Diff @@
## master #731 +/- ##
==========================================
+ Coverage 63.87% 63.91% +0.03%
==========================================
Files 64 64
Lines 11688 11688
Branches 2060 2060
==========================================
+ Hits 7466 7470 +4
+ Misses 3653 3649 -4
Partials 569 569
Continue to review full report at Codecov.
|
If we need monkey patching we an add that later. |
The CI fail has nothing to do with my PR. |
First of all, this needs to be rebased on top of actual master. The CI fail is caused by the added monkeypatch. Mypy doesn't like the access to internal methods. It probably needs to be ignored in this case. |
Even if no back-/frontchannel logout is defined the session cookie should be removed.
Ran isort, blacken, mypy and pylama.
I don't like it either but it was a request from Mikael to add SameSite support and I don't think it can be done without the monkey patch. |
It's now rebased. |
You probably need to add |
Any estimate on when this will be approved ?? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
LGTM now.
CHANGELOG.md
Outdated
@@ -24,10 +24,12 @@ The format is based on the [KeepAChangeLog] project. | |||
- [#711] Deal with no post_logout_redirect_uri | |||
- [#712] Set Content-Type on BackChannel logout POST. | |||
- [#717] Missing OP logout metadata. | |||
- [#731] Session cookie need to be visible to OP IFrame. |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This needs to be moved to the Unreleased part together with the link.
…into session_management
Here is an overview of what got changed by this pull request: Issues
======
+ Solved 2
See the complete overview on Codacy |
And even if no back-/frontchannel logout is defined the session cookie should be removed.
CHANGELOG.md
.