saml_session cookie does not set same site flag

[RouganStriker]

The README refers to the session cookie as a SameSite cookie but the implementation does not actually set the SameSite flag on the cookie which leaves the value up to the browser. Shouldn't the saml session cookie also use the SESSION_COOKIE_SAMESITE value from Django settings to tell the browser which SameSite setting to use?

[peppelinux]

Hi @RouganStriker
For samesite cookie we have an additional cookie, designed specifically for SSO that have a SameSite flag set to none, that's not the default django one.

you can find it here:
https://github.com/knaperek/djangosaml2/blob/master/djangosaml2/middleware.py

let me know If I miss something or any misunderstanding of mine
feel free to close this issue if you got the right answer

[RouganStriker]

Yup, I see that for SSO we are creating a separate cookie that uses the same domain, path, secure, and http only flags as the Django session cookie. But the same SameSite value used for the Django session cookie isn't being for the SSO session cookie. Was there a reason it as explicitly set to None?

[peppelinux]

Yes, because a cross domain post (SLO) with a samesite cookie = none, will be posted also to the idp (different domain). Otherwise the IdP won't detect the user session and SLO fails

[RouganStriker]

Sorry I'm not very familiar with this particular use case. Why does the SP and IdP need to share a session cookie? I thought in the SLO scenario the user session/identifier is sent to the IdP as part of the Logout Request.

For a bit of context, I am trying looking at this from a security perspective to understand if there are any concerns with this SAML session cookie lacking the CSRF protection of the SameSite flag.

[peppelinux]

they doesn't need to share that.
when you come back to the IDP this latter would also check if you've a real session (based on the cookie it have issues to you after auth).

Putting a cookie will enforce SLO security. SameSite cookie prevent that a cookie would reach is issues during a cross domain
HTTP POST

[RouganStriker]

To make sure I am understanding this correctly, the SAML session cookie has the SameSite flag disabled to handle the case where the cookie needs to be accessed by the IdP during a SLO POST request?

[peppelinux]

Yes Il gio 18 feb 2021, 02:18 Kelvin Chan <notifications@github.com> ha scritto:

…

To make sure I am understanding this correctly, the SAML session cookie has the SameSite flag disabled to handle the case where the cookie needs to be accessed by the IdP during a SLO POST request? — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#243 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AAJ4ZVEZOVIYHUGVIEMGCSTS7RTGDANCNFSM4XBG357Q> .