Session cookie need to be visible to OP IFrame Javascript script. #731
Conversation
Even if no back-/frontchannel logout is defined the session cookie should be removed.
src/oic/oauth2/provider.py
Outdated
| def write_session_cookie(self, value): | ||
| return make_cookie(self.session_cookie_name, value, self.seed, path="/") | ||
| def write_session_cookie(self, value, http_only=True): | ||
| return make_cookie(self.session_cookie_name, value, self.seed, path="/", httponly=http_only) |
There was a problem hiding this comment.
If IFrames are the usecase, we might want to handle SameSite settings for cookies as well.
Otherwise it will probably break with newer browsers like Chrome 80 that implement SameSite=Lax by default.
(https://chromestatus.com/features#samesite),
https://textslashplain.com/2019/09/30/same-site-cookies-by-default/
There was a problem hiding this comment.
IFrames is the use case. I'll look at SameSite. Any preference as how to handle it ?
There was a problem hiding this comment.
The make_cookie() method should handle and explitly set a SameSite value. This may requires monkey patching the Cookie class of Python (see Beaker/Cookie class), as it is only supported in 3.8+.
The patch is like this:
from http_cookies import Morsel Morsel._reserved[str('samesite')] = str('SameSite')
In IFrames usage the only value for SameSite that works properly is 'None'.
https://web.dev/samesite-cookie-recipes/
or mentioning it might break OpenID connect logins:
https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/
Ran isort, blacken, mypy and pylama.
Codecov Report
@@ Coverage Diff @@
## master #731 +/- ##
==========================================
+ Coverage 63.87% 63.91% +0.03%
==========================================
Files 64 64
Lines 11688 11688
Branches 2060 2060
==========================================
+ Hits 7466 7470 +4
+ Misses 3653 3649 -4
Partials 569 569
Continue to review full report at Codecov.
|
|
If we need monkey patching we an add that later. |
|
The CI fail has nothing to do with my PR. |
|
First of all, this needs to be rebased on top of actual master. The CI fail is caused by the added monkeypatch. Mypy doesn't like the access to internal methods. It probably needs to be ignored in this case. |
Even if no back-/frontchannel logout is defined the session cookie should be removed.
Ran isort, blacken, mypy and pylama.
|
I don't like it either but it was a request from Mikael to add SameSite support and I don't think it can be done without the monkey patch. |
|
It's now rebased. |
|
You probably need to add |
|
Any estimate on when this will be approved ?? |
CHANGELOG.md
Outdated
| @@ -24,10 +24,12 @@ The format is based on the [KeepAChangeLog] project. | |||
| - [#711] Deal with no post_logout_redirect_uri | |||
| - [#712] Set Content-Type on BackChannel logout POST. | |||
| - [#717] Missing OP logout metadata. | |||
| - [#731] Session cookie need to be visible to OP IFrame. | |||
There was a problem hiding this comment.
This needs to be moved to the Unreleased part together with the link.
…into session_management
|
Issues
======
+ Solved 2
See the complete overview on Codacy |
And even if no back-/frontchannel logout is defined the session cookie should be removed.
CHANGELOG.md.