Ghost
Ghost copied to clipboard
TryGhost
Make this site private - not working in Chrome and Opera
Issue Summary
Change or delete the row 58: versions/5.54.4/core/frontend/apps/private-blogging/lib/middleware.js
return session({
name: 'ghost-private',
maxAge: constants.ONE_MONTH_MS,
signed: false,
sameSite: 'lax' <----- row 58: instead of 'none' or delete row
})(req, res, next);
Or you can delete the row 58 because sameSite: 'Lax' is the default value. You can't code 'secure' within an object - secure: true will not work.
Works now in Chrome and Opera.
See https://web.dev/i18n/en/samesite-cookies-explained
Steps to Reproduce
See https://forum.ghost.org/t/make-this-site-private-not-working/39938/1
Ghost Version
5.54.4
Node.js Version
v18.15.0
How did you install Ghost?
local, macos
Database type
SQLite3
Browser & OS version
No response
Relevant log / error output
No response
Code of Conduct
- [X] I agree to be friendly and polite to people in this repository
Maybe you can implement, like the 'ghost-admin-api-session': versions/5.54.4/core/server/services/auth/session/express-session.js
function getExpressSessionMiddleware() {
...
name: 'ghost-admin-api-session',
cookie: {
maxAge: constants.SIX_MONTH_MS,
httpOnly: true,
path: urlUtils.getSubdir() + '/ghost',
sameSite: urlUtils.isSSL(config.get('url')) ? 'none' : 'lax',
secure: urlUtils.isSSL(config.get('url'))
}
});
}
return unoExpressSessionMiddleware;
}
This issue is currently awaiting triage from @daniellockyer. We're having a busy time right now, but we'll update this issue ASAP. If you have any more information to help us triage faster please leave us some comments. Thank you for understanding 🙂
![github-actions[bot] avatar](https://avatars.githubusercontent.com/in/15368?v=4 "Published by a pub.dev verified publisher"){kind=small}
In core/frontend/apps/private-blogging/lib/middleware.js:
´´´ const privateBlogging = {
…
return session({
name: 'ghost-private',
maxAge: constants.ONE_MONTH_MS,
signed: false,
// sameSite: 'none' <——— replace this with 2 lines below
sameSite: urlUtils.isSSL(config.get('url')) ? 'none' : 'lax',
secure: urlUtils.isSSL(config.get('url'))
})(req, res, next);
},
´´´
and all is fine! Implement in the same way as you did in core/server/services/auth/session/express-session.js
This issue is currently awaiting triage from @daniellockyer. We're having a busy time right now, but we'll update this issue ASAP. If you have any more information to help us triage faster please leave us some comments. Thank you for understanding 🙂
Hey there, thank you so much for the detailed bug report.
That does look like something that shouldn't happen! A PR to fix this issue would be very welcome 🙂
Hi, I am facing the same issue in the latest version of Ghost, unable to login to the private site using Chrome based browsers.
It's nearly three month later ... an nothing happened. But for me it closed, because I'm working locally :-) https://forum.ghost.org/t/make-this-site-private-not-working/39938
It's nearly three month later ... an nothing happened. But for me it closed, because I'm working locally :-) https://forum.ghost.org/t/make-this-site-private-not-working/39938
yeah, they didn't care to merge it. but I appreciate you for your troubleshooting and the fix.
I think just a rerun would be required to pass the build, otherwise the PR is already approved:
https://github.com/TryGhost/Ghost/actions/runs/6057836235/job/16821076886?pr=17938
I have made my first PR. I think the 2. one failed: Merge branch 'main' into joe-blocher-patch-1 https://github.com/TryGhost/Ghost/pull/17938/commits/ae0f64eb578f4aa43248da1b3e807a1f0c3b9bef
I don't really know what is for and how I can delete this PR...
Am 16.10.2023 um 08:45 schrieb Hussain @.***>:
It's nearly three month later ... an nothing happened. But for me it closed, because I'm working locally :-) https://forum.ghost.org/t/make-this-site-private-not-working/39938 https://forum.ghost.org/t/make-this-site-private-not-working/39938 yeah, they didn't care to merge it. but I appreciate you for your troubleshooting and the fix.
I think just a rerun would be required to pass the build, otherwise the PR is already approved:
https://github.com/TryGhost/Ghost/actions/runs/6057836235/job/16821076886?pr=17938 https://github.com/TryGhost/Ghost/actions/runs/6057836235/job/16821076886?pr=17938 https://user-images.githubusercontent.com/4962633/275414297-2abc6c33-ed0c-442d-9e81-9cdbd0e405cd.png — Reply to this email directly, view it on GitHub https://github.com/TryGhost/Ghost/issues/17514#issuecomment-1763832578, or unsubscribe https://github.com/notifications/unsubscribe-auth/AWHNLAX5ONSU2FFFUG6MRN3X7TJZDANCNFSM6AAAAAA2ZM7QIU. You are receiving this because you modified the open/close state.
You did't fix the error: Make this site private - not working not working in Chrome and Opera
SOLUTION - it told you in August 2023 and I have made the PR!
versions/5.82.2/core/frontend/apps/private-blogging/lib/middleware.js
`const privateBlogging = { ....
return session({
name: 'ghost-private',
maxAge: constants.ONE_MONTH_MS,
signed: false,
sameSite: urlUtils.isSSL(config.get('url')) ? 'none' : 'lax', <------------ insert this
secure: urlUtils.isSSL(config.get('url')) <------------------------------ insert this
//sameSite: 'none' <------------------------------------------ row 58: remove
})(req, res, next);
},`
The pull request still not merged in version 5.82.2: Fixed private mode cookie for local development #17938
Why not?
What makes you say the PR wasn't merged? The commit shows that it's been in releases starting from 5.70.0.
I've downloaded the code:
versions/5.82.2/core/frontend/apps/private-blogging/lib/middleware.js
But the code is still the same:
return session({ name: 'ghost-private', maxAge: constants.ONE_MONTH_MS, signed: false, sameSite: 'none' <------------------------------------------ why this? })(req, res, next); },
The code being the same does not mean your PR was not merged. In this case it looks like this change ended up possibly breaking something else so it was reverted:
https://github.com/TryGhost/Ghost/pull/19298
The code being the same does not mean your PR was not merged. In this case it looks like this change ended up possibly breaking something else so it was reverted:
#19298
OK so that means it is still a problem. I am running 5.79.6 (released Feb 26) and cannot make the site private because of this bug. What's the ETA on solving this?
The code being the same does not mean your PR was not merged. In this case it looks like this change ended up possibly breaking something else so it was reverted: #19298
OK so that means it is still a problem. I am running 5.79.6 (released Feb 26) and cannot make the site private because of this bug. What's the ETA on solving this?
My solution: I change always the code by myself, when I install an update. You have to change only 2 lines. The first time I reported the solution in August 2023. Maybe they will fix the bug sometimes ...
Hey guys, any update on this one? I couldn't access the links behind why the commit was reverted. So not sure on the details or complexity of the bug, is there any progress towards figuring it out? Thanks, and I'm a huge Ghost fan 😊
Downloaded version 5.89.1 - this bug still not fixed
You have to change only 2 lines in your code. The first time I reported the solution in August 2023. Why this is impossible?