[Bug]: session cookie is missing in Chrome and Safari

[thomasleplus]

Is there an existing issue for this?

• I have searched the existing issues

Current Behavior

It seems that Firefox accepts the session cookie with flag SameSite=None with a warning but not Chrome or Safari. Chrome says:

Cookies marked with SameSite=None must also be marked with Secure to allow setting them in a cross-site context. This behavior protects user data from being sent over an insecure connection.
Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be set by cross-site requests.

As a result, the OIDC flow ends in an internal server error 500 and the following message in the debugger log: "error opening session".

Expected Behavior

No internal server error.

version

v1.25.3-2

Relevant log output

"error opening session"

Steps To Reproduce

Just use a recent version of Chrome or Safari.

Anything else?

No response

[thomasleplus]

The issue was initially reported by @jawabuu, see #24 (comment).

[thomasleplus]

@jawabuu I have a fix: apparently setting the Secure flag on the cookie is sufficient and it seems the cookie is sent to localhost despite the fact that TLS is not used. That should solve the issue for now (although the long-term solution is probably to support TLS, I will create a separate issue for that). I need a couple of hours to find the time to test the fix with different browsers and to release. I will let you know when it's done.

[jawabuu]

@thomasleplus So I tried it on a server with https redirect_uri

2024/05/07 15:55:11 [debug] 6#6: *5 [lua] openidc.lua:556: openidc_discover(): openidc_discover: URL is: https://auth.example.com/.well-known/openid-configuration
2024/05/07 15:55:11 [debug] 6#6: *5 [lua] openidc.lua:107: openidc_cache_get(): cache hit: type=discovery key=https://auth.example.com/.well-known/openid-configuration
2024/05/07 15:55:11 [debug] 6#6: *5 [lua] openidc.lua:674: openidc_get_token_auth_method(): 1 => client_secret_post
2024/05/07 15:55:11 [debug] 6#6: *5 [lua] openidc.lua:677: openidc_get_token_auth_method(): no configuration setting for option so select the first supported method specified by the OP: client_secret_post
2024/05/07 15:55:11 [debug] 6#6: *5 [lua] openidc.lua:691: openidc_get_token_auth_method(): token_endpoint_auth_method result set to client_secret_post
2024/05/07 15:55:11 [debug] 6#6: *5 [lua] openidc.lua:1551: authenticate(): Authentication is required - Redirecting to OP Authorization endpoint
10.42.0.151 - - [07/May/2024:15:55:11 +0000] "GET /debug HTTP/1.1" 302 151 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"
2024/05/07 15:55:39 [error] 6#6: *5 lua entry thread aborted: runtime error: access_by_lua(/etc/nginx/conf.d/default.conf:40):5: attempt to concatenate field 'cookie_session' (a nil value)
stack traceback:
coroutine 0:
        access_by_lua(/etc/nginx/conf.d/default.conf:40): in main chunk, client: 10.42.0.151, server: localhost, request: "GET /login?code=cYO2iky5urTtXYIpXCLKiKJMfeVsfmXLKo_PJKvwCIQ.otORxcIsi2k8-Z8qM1tcncZejFF
5RgWM1Er1Hfm3Psg&scope=openid%20email%20profile&state=d1f01e26d4c4f3f10713e862354ad346 HTTP/1.1", host: "openid.prod.chura.co.ke", referrer: "https://www.example.com/"
10.42.0.151 - - [07/May/2024:15:55:39 +0000] "GET /login?code=cYO2iky5urTtXYIpXCLKiKJMfeVsfmXLKo_PJKvwCIQ.otORxcIsi2k8-Z8qM1tcncZejFF5RgWM1Er1Hfm3Psg&scope=openid%20email%20profile&state=d1f01e26d4c4f3f10713e86
2354ad346 HTTP/1.1" 500 585 "https://www.example.com/" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/124.0.0.0 Safari/537.36"

[thomasleplus]

Sorry I wasn't clear. The issue is that the page starting the OpenID Connect flow (http://localhost:8080/debug) is not using https so the session cookie that it sets is discarded. That's why you get the error that 'cookie_session' is nil (missing).

The fix that I found is to set the Secure flag on the cookie. Then it is saved even though the page is not https. At least for Chrome. But Safari has a peculiar bug (at least IMHO): it does not save cookies received in redirection response. I didn't know that but it is well documented:

• https://stackoverflow.com/questions/57026956
• https://discussions.apple.com/thread/4735033

I will try to think about a workaround but for now I have pushed the fix that works for Chrome. I hope that will help.