Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Problem with session.cookie_samesite = "Strict" #2

Closed
joszz opened this issue Jan 28, 2022 · 8 comments
Closed

Problem with session.cookie_samesite = "Strict" #2

joszz opened this issue Jan 28, 2022 · 8 comments

Comments

@joszz
Copy link

joszz commented Jan 28, 2022

The examples do not work when PHP is configured with;
session.cookie_samesite = "Strict"

Which makes sense since the callback URL is originating from the DUO servers, and strict is preventing cookies from being sent when this is the case.
Maybe a note about this is in place?
A workaround could be storing state in a DB.

@AaronAtDuo
Copy link
Contributor

@joszz I've run into a similar issue with the C# client. The examples are purposely simplistic around the mechanism to store the state and username, because of this very issue - the best way to persist that information will definitely vary depending on the web application's architecture and security controls. Do you have a suggestion for a note that we could add after

Store it in the session to be later used by the callback.

to make it clear to developers?

@joszz
Copy link
Author

joszz commented Feb 1, 2022

hmm, not so easy to come up with something to the point :)
Maybe something like;
Note that a session relies on a cookie. Cookies might not be sent, for example when PHP ini setting session.cookie_samesite is set to "Strict"

@AaronAtDuo
Copy link
Contributor

How about

This example demonstrates use of the http session (cookies) for storing the state. In some applications, CORS or strict cookie controls will mean a different mechanism to persist the state and username will be necessary

@joszz
Copy link
Author

joszz commented Feb 4, 2022

I could be missing something here, but I do not see CORS impacting the functionality.
This new API is not made to be accessed through async javascript requests, or is it?
CORS has only impact on such APIs

@AaronAtDuo
Copy link
Contributor

We've had reports on some of the other languages' repos about CORS issues, from people that are using it from XHR requests. Though actually, that affects the redirect behavior and not the session storage, so it probably doesn't belong here anyway.

So maybe just

This example demonstrates use of the http session (cookies) for storing the state. In some applications, strict cookie controls or other session security measures will mean a different mechanism to persist the state and username will be necessary

@joszz
Copy link
Author

joszz commented Feb 4, 2022

hmm curious now about the async requests, might look into that :)
The comment looks good to me!

@AaronAtDuo
Copy link
Contributor

AaronAtDuo commented Feb 4, 2022

Check out duosecurity/duo_universal_python#1 re the CORS issue. We've also had folks contact our support team about it too.

I'll try to get the comment update in soon.

@AaronAtDuo
Copy link
Contributor

Added comment from above to example. Commit e108fc9

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

No branches or pull requests

2 participants