docs: adding a line about CSRF cookie problems (#1843)

Issue I experienced today, running Hydra 1.4.10 in dangerous HTTP mode, the CSRF cookie defaulted to SameSite=None, but the cookie was not marked as secure (which makes sense, as Hydra is running over HTTP), so the cookie gets ignored (and was getting CSRF value not present errors). I was able to get around it by either overriding the SameSite setting, or by switching to TLS termination.
ory · May 6, 2020 · 697b0f5 · 697b0f5
1 parent 085e42c
commit 697b0f5
Showing 1 changed file with 1 addition and 0 deletions.
diff --git a/docs/versioned_docs/version-v1.5/debugging.mdx b/docs/versioned_docs/version-v1.5/debugging.mdx
@@ -47,6 +47,7 @@ reverse proxy supports path rewrites that might also cause issues!
 - You are trying to do two OAuth2 flows at the same time in the same Browser.
 - You have changed the Cookie SameSite behavior. If this is the default value (you did not change it), this should
 not be an issue.
+- You are using the `--dangerous-force-http` CLI flag to run via HTTP, but have not changed the Cookie SameSite behaviour. The default value for SameSite setting is `None`, which also requires the cookie be marked as `Secure` which won't be set whilst running Hydra over HTTP.
 
 :::warn
 You cannot call `/oauth2/auth` using an AJAX request. It is not allowed and not possible with OAuth2.