node-solid-server icon indicating copy to clipboard operation
node-solid-server copied to clipboard

Published 20 hours ago verified publisher icon nodeSolidServer

Cookie not set with SameSite attribute

Open josephguillaume opened this issue 5 years ago • 8 comments

As noted on solid-auth-client https://github.com/solid/solid-auth-client/issues/151, Chrome is requiring third party cookies to be set with SameSite=None and Secure. While this setting is not yet active on desktop, it is active on Android and therefore breaks all Solid apps using the nssidp.sid cookie from .solid.community. This can still be bypassed by disabling chrome://flags/#same-site-by-default-cookies. Presumably non-cookie based authentication doesn't have this issue but I'm not sure it's possible to turn off cookie-based authentication at the moment (https://github.com/solid/node-solid-server/issues/672)

I'm not an expert, but it appears the change required is in the definition of the express-session settings https://github.com/solid/node-solid-server/blob/master/lib/create-app.js#L305 https://www.npmjs.com/package/express-session#cookiesamesite

It may be sufficient to simply use:

    cookie: {
      maxAge: 24 * 60 * 60 * 1000,
      sameSite:'None'
    }

It seems that http connections should also be completely dropped for authenticated sessions because the third party cookie won't be sent without cookie.secure=true anyway.

josephguillaume avatar Aug 08 '20 10:08 josephguillaume

This same bug also reported in https://gitter.im/solid/chat?at=5f4e21ef9bad075eacef0d8c

michielbdejong avatar Sep 01 '20 10:09 michielbdejong

Hm, I have no problem opening https://otto-aa.github.io/solid-filemanager/?url=https://michielbdejong.solid.community/public in Chrome 84 on Mac OS, or Chrome on Android. I'll try updating Chrome on my Android to the latest version.

michielbdejong avatar Sep 02 '20 07:09 michielbdejong

Is that meant to be a private resource? The cookie is not needed to access public resources, as far as I know.

josephguillaume avatar Sep 02 '20 07:09 josephguillaume

Hm, even with Chrome 85 on Android I can't reproduce any problem. I set chrome://flags/#same-site-by-default-cookies to Enabled in my Chrome on Mac OS, will see if that helps to reproduce it.

michielbdejong avatar Sep 02 '20 07:09 michielbdejong

I can't replicate anymore on either chrome 85 and firefox 80.

SETUP: I had logged in my app through solid with solid-auth-client on chrome pre-85. The error persisted even after the update to 85.

FIX: clearing cookies and local storage on both the app site and solid. Hitting the logoff button on my pod on solid.community was not effective.

I wonder if somehow solid-auth-client might be at fault for not handling its own inconsistencies?

tsojcanth avatar Sep 02 '20 09:09 tsojcanth

I'm not sure if something's changes in solid-auth-client, but it looks like it's now able to bypass the cookie failure.

Essentially the effect of this issue is that the browser never sends the nssidp.sid cookie in requests because the browser doesn't accept the set-cookie header from the nss response, i.e. it's maybe a performance issue, but as long as the client has a workaround, things still work.

josephguillaume avatar Sep 02 '20 11:09 josephguillaume

But this needs to be specified in the solid spec.

timbl avatar Sep 27 '20 08:09 timbl

cc @csarven ^

michielbdejong avatar Sep 28 '20 07:09 michielbdejong