New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
How to implement the double cookie policy for the SameSite policy changes #17518
Comments
You would fork the cookie middleware, and have it drop two cookies, then check on the return for the presence of one or both. You may think that you could add two cookie middlewares, and set the Same Site setting to Lax on one and -1 on the other so the attribute isn't written, but you can still only have one middleware as the default, so that approach won't work. |
Double issuing cookies is going to be at least as complicated as browser sniffing. @blowdart is right, you're going to have to fork every component that issues a cookie and customize it. You'll have to be extra careful around deleting cookies, ensuring you always delete both even if you only receive one. |
@blowdart: @Tratcher: we are only talking about the authentication cookie, all other cookies can have the Lax or even Strict policy in our application. |
We think it's possible, you'd just have to make decisions on which cookie wins. It's not something we've tried though. |
OK, we'll give it a try and will report back. Thanks so far! |
Note OpenIDConnect uses temporary nonce and correlation cookies that are highly impacted by the SameSite transition. These default to SameSite=None which will have issues on older browsers. Two places you're going to struggle with for CookieAuth:
|
You're right. Unfortunately the OpenIDConnect middleware does not use a cookie manager or some other replacable component to obtain/set cookies. Do you think it's possible to replace the
We've not tested this, however, as Google is recommending to do it that way we don't think we run into much trouble due to size limits.
Is the Best regards, |
The OIDC temp cookies are small and don't need chunking. Only the final auth cookie is large and that's managed by CookieAuth.
Take that guidance with a grain of salt, that came from the Chrome team, they didn't actually implement it that guidance anywhere. You're almost guaranteed to break Safari with large cookies.
The CookiePolicyMiddleware middleware does this, but only for response cookies. CookiePolicyMiddleware can't do double cookies, but you could model a solution off that. Request cookies could be intercepted in a similar way via the IRequestCookiesFeature. Again, you're not saving yourself any effort with this approach. If anything it will be harder and more error prone. Yes user agents are annoying to deal with, but that's a problem fairly easily addressed by monitoring your app telemetry. The community has already put together a good starting list. |
First: thank you for the short reply times, really appreciate it!
We've realized that already, still, there is this problem with the user agent sniffing that it is brittle by design. What works today may (and will be!) broken tomorrow. We think it's better to invest some more upfront design/coding into the matter and have no problems with our customers later on in the wild.
Can you give me a pointer to the issue where this is happening? I'll have a look tomorrow. If we are running into broken-tomorrow-problems with the cookie approach too, we might decide to not go the double-cookie path after all. Best regards, |
Perhaps, but the fix is usually easy as well.
We're summarizing it in a new doc here: |
@Tratcher is it ok to take that sample code from the doc and create a drop-in NuGet package for it? |
@huysentruitw Only if you want to maintain it, it will likely need additions. That's why we didn't embedded it in the framework. |
Triage: We don't intend to support double-cookies at this time. There are a number of problems with implementing it and it would significant disrupt the ecosystem. Our recommendation here is to use the browser sniffing mechanism. |
We have implemented a solution that combines both the policy solution and the double cookie solution to avoid sniffing the agent.
|
That sounds like a very good idea. How do you add this extra request to the pipeline before the authentication redirect is performed? |
Yes, we issue these two cookies if they are not present, before even authenticating the user. |
This might work under some conditions, but I expect it will usually be too late. E.g. You have to know this information when you first issue a cookie, but most of the time that is on a normal SameSite-safe request so you get both of your test cookies. By the time the SameSite protections kick in, it's already too late to change the cookie that matters. E.g. in a remote login flow you'd do this check during the initial challenge which is a SameSite request, issue the temp auth cookie normally, but when you returned from the 3rd party then both the test cookie and the temp cookie would fail. |
That's a good point. |
A colleague of mine had the following idea today: in a middlware before OpenID Connect we catch all POST requests from our OpenID Connect authentication provider (those requests have no cookies attached), and render a page which immediately posts the same values via AJAX back to the server (cookies are now attached, are they?!). After receiving the response (including the actual authentication cookie) we redirect to the actual redirect URL. Could this work? |
You mean something like this, but for POST instead of just GET? |
@drauch sounds like a clever idea. The middleware could check on endpoint, POST and the lack of the nonce cookie. Only need to prevent not to get into an endless loop, right? |
Yes. Have you tested it with POST as well? BTW: Are you sure that in step 3 the original nonce cookie for the external provider (which is set in response to step 1) is included in step 3? I think it already fails in step 3 because of this, not in step 4. |
@huysentruitw : I'm not sure what your sentence is asking of me, sorry :-) Could you rephrase it? |
@drauch I'm just thinking that an implementation like that could easily get into an endless loop of POST-ing the same thing back (f.e. when the nonce cookie has already expired for whatever reason). |
@huysentruitw : Ah, now I understand. Yes, you would need to mitigate such situations, if the POST comes from within the page and the response to it would be a 302 to the authentication provider, instead fail with 403. |
In contrast to your recommendation described here and here we want to go with Google's recommended solution: namely setting two cookies (if you want to know why, see details below).
Question: How would one implement the 2-cookie-solution using the Cookie and OpenIDConnect middlewares?
(we're using ASP.NET Core 2.1.x and .NET Framework 4.7.2)
Best regards,
D.R.
Details: major browser vendors and authentication providers (e.g., Google or Auth0) opt for the double cookie solution. Mostly because: your recommended solution of browser sniffing doesn't cover all the scenarios (see Auth0 blog article for more details on this).
The text was updated successfully, but these errors were encountered: