New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[server] Cookies should set SameSite='None' #165
Comments
…s-samesite with the PR to manage secure flag resolving #165
branch branch Another way to workaround this would be to drop use of session cookie and switch to full JWT authentication. It would enable to get ride of CSRF token, wouldn't it? |
https://security.stackexchange.com/questions/166724/should-i-use-csrf-protection-on-rest-api-endpoints/166798#166798 @gnuletik, shall we drop use of token authentication, would following solution fit your actual stack on timeside-player? We need anyhow to specify more precisely TimeSide REST API requirements regarding login workflow. |
Hi @Tointoin, We should be able to drop the CSRF token if we use JWT authentication yes. The solution mentioned on medium is based on Vuex. Most of this should already be abstracted by the SDK but the same principle remains :) |
Hi @Tointoin Thanks for the inputs ! Regarding the limitation of the cookie usage, the CSRF stuff, the SameSite property limitations, the study you have done on the JWT technique and the fact that it is clearly the future for managing various clients, it seems really welcome to go for it. But I know it can be hard to implement. So, @gnuletik could you please evaluate the time needed for the switch on the frontend side before we decide to go for it ? |
At this stage, we have only to resolve the points 3. and 4 so don't bother with the signup and token sharing processes. |
Hi @yomguy, I was able to login and make a request using the JWT token.
Them, I'm able to use the token to make a request
However, we may face unexpected issues because :
If we cannot rely on the schema / SDK to handle the securitySchemes
I'll also have to:
So, hopefully, switching the authentication mechanism in the player/sdk can be done in 3-4 days. |
We cannot send an access/refresh token by email because they both expires. Instead, the user should get his token using the
No, the JWT tokens are not meant for this usage because tokens expires.
The user onboarding workflow is an interesting issue to be solved yes. |
Hi @gnuletik Thanks for this quick and detailed study. Regarding the issue you mention and the development we need to include all the login methods in the app, I think we have to postpone this feature. We could give it more effort in a industrial context we don't have yet. But to me, in the context of the WASABI research project, I think it not a big problem to act and say that our player works on Firefox only for good reasons. So let's focus on consuming all the API features we have already. Sorry I was wrong with the workflow with the token exchange protocol and my point of view was effectively on the user side which finally should not have to bother any token manually. OK for discussing about the usecases in a separate issue. |
Hi @Tointoin,
The issue you mentionned before on |
Yep, I've seen it, let's wait for release. |
Hi @Tointoin, As we can use the JWT authentication for API calls on different domains, I think that we don't need to implement the SameSite attribute anymore. I'm closing it for now. Feel free to re-open if needed! |
In app/settings.py, we set
The result of this configuration is to ignore the
SameSite
cookie attribute (as seen below).However, starting from Chrome 80, cookies without a SameSite attribute have the 'Lax' value.
This break the player as we need the authentication cookie to be available on different domains.
Note: For testing purposes, you can disable this Chrome feature with
There is no way to set this cookie to
'None'
in Django (string value) as of today.The issue has been fixed 3 months ago by the Django team in this commit and will be released in Django 3.1 (release planned for August 2020).
In the meantime, we can either:
@Tointoin @yomguy What's your thoughts?
The text was updated successfully, but these errors were encountered: