Openid refresh dance in some sites still broken with Firefox new "SameSite=lax" cookie policy
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
Canonical SSO provider |
Fix Released
|
Critical
|
Maximiliano Bertacchini |
Bug Description
Session and CSRF cookies switched to explicit "SameSite=None; Secure" in response to the new "lax by default" policy in modern browsers (lp:1888734), but I'm still experiencing intermittent issues while logging in to some sites. My browser is Firefox 81.0 snap on Ubuntu Focal, with "network.
- https:/
- browser enters an infinite loop redirecting between snapcraft.io and sso/openid, with an infinite number of log messages like: "Cookie “openid_referer” has “SameSite” policy set to “Lax” because it is missing a “SameSite” attribute, and “SameSite=Lax” is the default value for this attribute."
- https:/
- Apache returns a 403 page with: "Forbidden: You don't have permission to access /online-
Once I manually set "network.
I believe setting openid_referer with "SameSite=None; Secure" should fix it, but am a bit unsure as I cannot reproduce at the moment.
Related branches
- Daniel Manrique (community): Approve
-
Diff: 23 lines (+2/-1)2 files modifieddjango_project/settings_base.py (+1/-0)
src/identityprovider/views/server.py (+1/-1)
Changed in canonical-identity-provider: | |
status: | New → In Progress |
assignee: | nobody → Maximiliano Bertacchini (maxiberta) |
summary: |
- Openid refresh dance in some sites still broken with new "SameSite:lax" + Openid refresh dance in some sites still broken with new "SameSite=lax" cookie policy |
Changed in canonical-identity-provider: | |
status: | In Progress → Fix Committed |
importance: | Undecided → Critical |
summary: |
- Openid refresh dance in some sites still broken with new "SameSite=lax" - cookie policy + Openid refresh dance in some sites still broken with Firefox new + "SameSite=lax" cookie policy |
Changed in canonical-identity-provider: | |
status: | Fix Committed → Fix Released |
Here's the relevant Firefox experiment: https:/ /bugzilla. mozilla. org/show_ bug.cgi? id=1622091
[Experiment] Staged Rollout: Beta rollout of SameSite lax change Fx 79.0 to 81.0 Beta
Start Date: 2020-06-30 End Date: 2020-10-08