Support for SameSite cookies

[skanct]

SameSite cookies are already supported by Chrome and Firefox, but at the moment not enabled by default. When enabled (tested with Chrome 76 beta), the SAML authentication breaks. Namely, when the IdP uses the SAML HTTP-POST binding to send the SAML Response back to the SATOSA backend and SameSite cookies are enabled, the SATOSA cookie will not be included in the POST request and SATOSA will fail.

This is not an immediate problem, but it will become a problem when/if browsers turn on SameSite cookies by default.

Code Version

master

Expected Behavior

When SATOSA creates the state cookie, it should have SameSite set to None

Current Behavior

There is no support for SameSite. The change for SATOSA is trivial, but the problem is that the python http library also has to support SameSite cookies. SameSite cookie support has been added to the python 3.8 branch

Possible Solution

Wait for python 3.8 and then add support for SameSite cookies in state.py. In the meantime, for SATOSA deployments that are behind an HTTP reverse proxy, the problem can be mitigated by setting the cookie parameters in the HTTP reverse proxy.

For nginx the following directive does the trick:

proxy_cookie_path ~(/*) "$1; SameSite=None";

Steps to Reproduce

1. Download Chrome 76 beta
2. Go to chrome://flags
3. Enable "SameSite by default cookies"
4. Clear all cookies
5. Use SATOSA to authenticate to a SAML IdP (The domain of the IdP has to be different from the domain of the SATOSA instance)

References

• https://blog.chromium.org/2019/05/improving-privacy-and-security-on-web.html
• https://web.dev/samesite-cookies-explained/
• https://tools.ietf.org/html/draft-west-cookie-incrementalism-00
• https://github.com/GoogleChromeLabs/samesite-examples/blob/master/python.md

[mrvanes]

Keep in mind what webkit is doing: https://bugs.webkit.org/show_bug.cgi?id=198181

[andrewsali]

Any updates on this? As per this Auth0 post chrome will soon implement by default the samesite 'lax' setting if no samesite is specified, which will break http-post binding.

https://auth0.com/blog/browser-behavior-changes-what-developers-need-to-know/

[andrewsali]

As per the above article the recommended solution would be for SATOSA to set 2 cookies, one for legacy/buggy browsers and one for the new behaviour.

According to https://www.chromium.org/updates/same-site, the rollout for Chrome will start February 17. Is it plausible that there will be a resolution from SATOSA side by then using the 2-cookie approach?

If not, then we will need to investigate workarounds, but those are unfortunately bound to be messy (e.g. useragent sniffing, proxy based cookie tampering, etc..)

[mrvanes]

There is some news to add to that. It turns out Google agreed to gracefully support the "old" behaviour if the cross domain POST is a result of a request that happened within two minutes before. So, that means the user has two minutes to identify herself at the IdP for a succesful authentication, which should be enough in the general case. I have no idea how long this behaviour will be supported and I haven't tested it myself. I have seen other reporting succesful tests for this behaviour.

[andrewsali]

Thanks for pointing that out @mrvanes , that is some relief, although they are being very vague on the Chromium site about how long this will be allowed.

In any case this issue seems quite pressing and would probably require implementation of the 2 cookie approach from SATOSA side (if possible) in the near future.

[mrvanes]

There are two impediments for implementing this in SATOSA as of the moment of writing:

1. There is no one-size-fits-all solution as you say because there is old/new/other (apple) behaviour that causes breakage, so exact user-agent inspection is required and I haven't seen a perfect inspection flow for all browsers (yet).
2. Setting the required cookie (SameSite) is only officially supported in python from 3.8 and we're not there yet for most of the deployments. Doing it on 3.7 or below would require "monkey patching" the cookie release.

[andrewsali]

There is however a browser independent solution as recommended by Google and referenced in the Auth0 article. SATOSA needs to send 2 cookies, one SATOSA_STATE (with Samesite=None and Secure) and one SATOSA_STATE_LEGACY with the latter being sent with the current settings. Then SATOSA needs to check when parseing the cookie if SATOSA_STATE exists (should for new browsers), if not then try parsing SATOSA_STATE_LEGACY (which will make it work with old Safari, etc..).

I see the point with respect to Python 3.8, however I think this fix will become necessary as Chrome is such a dominant browser.

[mrvanes]

1. I wasn't aware of the browser independent hack Google suggests, thx for pointing that out!
2. I agree Google is quite dominant but for the moment we are saved.
3. I'm not in any way the leading architect for this project, @c00kiemon5ter is. I was just informing you of the results of the discussion we had on Slack ;)

[andrewsali]

Sure, I understand and of course it's great that this project is being developed for the community. If it would be possible to put the 2 cookie workaround on the near roadmap to avoid any sudden issue, that would be great, as addressing it within SATOSA itself would be the best solution. But of course I understand there are many things to consider and we will try to act accordingly as things develop. Thanks again for your work on this great project!

…

On Mon, Feb 3, 2020 at 10:30 AM Martin ***@***.***> wrote: 1. I wasn't aware of the browser independent hack Google suggests, thx for pointing that out! 2. I agree Google is quite dominant but for the moment we are saved. 3. I'm not in any way the leading architect for this project, @c00kiemon5ter <https://github.com/c00kiemon5ter> is. I was just informing you of the results of the discussion we had on Slack ;) — You are receiving this because you commented. Reply to this email directly, view it on GitHub <#245?email_source=notifications&email_token=ADTBRJ2Q6WOCBKXALE25GULRA7PZ5A5CNFSM4H2WIPYKYY3PNVWWK3TUL52HS4DFVREXG43VMVBW63LNMVXHJKTDN5WW2ZLOORPWSZGOEKTDVIY#issuecomment-581319331>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ADTBRJ4ZYUGL5PRBIL6JCEDRA7PZ5ANCNFSM4H2WIPYA> .

[c00kiemon5ter]

That actually sounds like a great solution. I will try to put something along those lines soon. Thanks for bringing this up ;)

[c00kiemon5ter]

Fixed by 7f5f0a1 (see the commit message).

A new dependency is needed: cookies-samesite-compat

• https://github.com/c00kiemon5ter/cookies_samesite_compat
• https://pypi.org/project/cookies-samesite-compat/

This is part of release v6.1.0