# HG changeset patch # User bsw # Date 1597923894 -7200 # Node ID f1258993d9930869c1db14cef3cc51a57ce21159 # Parent 2b4b243f625ec45d77138e34b5ff45296463c144 Fixed issue with oauth/session endpoint and samesite cookies diff -r 2b4b243f625e -r f1258993d993 app/main/_filter/20_session.lua --- a/app/main/_filter/20_session.lua Tue Aug 18 19:54:45 2020 +0200 +++ b/app/main/_filter/20_session.lua Thu Aug 20 13:44:54 2020 +0200 @@ -1,14 +1,20 @@ -local cookie = request.get_cookie{ name = config.cookie_name or "liquid_feedback_session" } +local cookie = request.get_cookie{ name = config.cookie_name } +local cookie_samesite = request.get_cookie{ name = config.cookie_name_samesite } + +if + cookie and cookie ~= cookie_samesite + and not (request.get_module() == "oauth" and request.get_view() == "session") +then + slot.put_into("error", _"Cookie error. Try restarting your web browser and login again.") + return +end if cookie then app.session = Session:by_ident(cookie) end if not app.session then app.session = Session:new() - request.set_cookie{ - name = config.cookie_name or "liquid_feedback_session", - value = app.session.ident - } + app.session:set_cookie() end locale.set{ lang = app.session.lang or config.default_lang or "en" } diff -r 2b4b243f625e -r f1258993d993 app/main/_prefork/10_init.lua --- a/app/main/_prefork/10_init.lua Tue Aug 18 19:54:45 2020 +0200 +++ b/app/main/_prefork/10_init.lua Thu Aug 20 13:44:54 2020 +0200 @@ -60,6 +60,14 @@ config.check_delegations_default = "confirm" end +if config.cookie_name == nil then + config.cookie_name = "liquid_feedback_session" +end + +if config.cookie_name_samesite == nil then + config.cookie_name_samesite = config.cookie_name .. "_samesite" +end + if config.ldap == nil then config.ldap = {} end diff -r 2b4b243f625e -r f1258993d993 app/main/role/_action/switch.lua --- a/app/main/role/_action/switch.lua Tue Aug 18 19:54:45 2020 +0200 +++ b/app/main/role/_action/switch.lua Thu Aug 20 13:44:54 2020 +0200 @@ -31,10 +31,8 @@ app.session:destroy() - request.set_cookie{ - name = config.cookie_name or "liquid_feedback_session", - value = session.ident - } + session:set_cookie() + elseif app.session.real_member_id then local session = Session:new() session.member_id = app.session.real_member_id @@ -42,10 +40,8 @@ app.session:destroy() - request.set_cookie{ - name = config.cookie_name or "liquid_feedback_session", - value = session.ident - } + session:set_cookie() + end if config.meta_navigation_home_url then diff -r 2b4b243f625e -r f1258993d993 model/session.lua --- a/model/session.lua Tue Aug 18 19:54:45 2020 +0200 +++ b/model/session.lua Thu Aug 20 13:44:54 2020 +0200 @@ -40,6 +40,18 @@ return session end +function Session.object:set_cookie() + request.set_cookie{ + name = config.cookie_name, + value = self.ident, + samesite = "none" + } + request.set_cookie{ + name = config.cookie_name .. "_samesite", + value = self.ident + } +end + function Session.object:additional_secret_for(purpose) local use_hash = false local idx = secret_purposes[purpose]