Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add SameSite option #264

Open
wants to merge 1 commit into
base: master
Choose a base branch
from
Open

Add SameSite option #264

wants to merge 1 commit into from

Conversation

heralight
Copy link

Related to #95

Add the possibility to set le SameSite cookie flag.

@jmichler
Copy link

Hi, I'd really appreciate if this could be merged: It would solve the issues we have when trying to embedd a page authenticated over these means as an iframe into e.g. confluence or sharepoint!
@heralight : Do you have a public docker image with "your" build of this that I could use in the meantime?

@@ -28,6 +28,7 @@ type Config struct {
Config func(s string) error `long:"config" env:"CONFIG" description:"Path to config file" json:"-"`
CookieDomains []CookieDomain `long:"cookie-domain" env:"COOKIE_DOMAIN" env-delim:"," description:"Domain to set auth cookie on, can be set multiple times"`
InsecureCookie bool `long:"insecure-cookie" env:"INSECURE_COOKIE" description:"Use insecure cookies"`
SameSiteCookie int `long:"same-site-cookie" env:"SAMESITE_COOKIE" default:"0" description:"Set cookies SameSite value (0: Default (1), 1: Lax, 2: Strict, 3: None)"`

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

I think that those numbers are wrong. For me I needed to set 4 for None for example

@@ -173,6 +173,7 @@ func MakeCookie(r *http.Request, email string) *http.Cookie {
Path: "/",
Domain: cookieDomain(r),
HttpOnly: true,
SameSite: http.SameSite(config.SameSiteCookie),

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

shouldn't we have this line in the 3 other similar blocks in this package? So both for the "Clear" and for the CSRF-Cookie further down? I needed to do this in order to get everything work on my end

@@ -154,6 +161,7 @@ Application Options:
--config= Path to config file [$CONFIG]
--cookie-domain= Domain to set auth cookie on, can be set multiple times [$COOKIE_DOMAIN]
--insecure-cookie Use insecure cookies [$INSECURE_COOKIE]
--same-site-cookie Set SameSite cookie property (0: Default (1), 1: Lax, 2: Strict, 3: None)

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The Env-Name available to control this sould be documented here, [$SAMESITE_COOKIE]

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

same issue here with the numbers as well, I think also the (1) is missleading?

@jmichler
Copy link

jmichler commented Nov 17, 2021

Not sure if this is related: even with the fix from the PR it is only working to embedd a page protected over this tool as an IFrame if at least once before the user has accessed the page standalone and has a current session with the IDP established. If not the flow tries to redirect to login.microsoftonline and that page denies to be shown in an iframe.

  1. has anyone managed to solve this?
  2. I think this application has no real chance to solve this? Since before redirecting to the Microsoft oauth endpoint it does not know if a login is required? And this can not go for the workaround to open the login page as a pop-up? see https://docs.microsoft.com/en-us/answers/questions/387682/loginmicrosoftonline-refused-to-connect-from-ifram.html

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

2 participants