Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

docs: Adding details about CSRF cookie problems #1843

Merged
merged 1 commit into from
May 6, 2020
Merged

docs: Adding details about CSRF cookie problems #1843

merged 1 commit into from
May 6, 2020

Conversation

robhinds
Copy link
Contributor

@robhinds robhinds commented May 5, 2020

Issue I experienced today, running Hydra 1.4.10 in dangerous HTTP mode, the CSRF cookie defaulted to SameSite=None, but the cookie was not marked as secure (which makes sense, as Hydra is running over HTTP), so the cookie gets ignored (and was getting CSRF value not present errors).

I was able to get around it by either overriding the SameSite setting, or by switching to TLS termination.

Related issue

Proposed changes

Additional line in the docs about CSRF issues if SameSite=None and running over HTTP (the cookie won't be marked as Secure, and modern browsers such as Chrome will just ignore the cookie)

Checklist

  • I have read the contributing guidelines.
  • I have read the security policy.
  • I confirm that this pull request does not address a security
    vulnerability. If this pull request addresses a security. vulnerability, I
    confirm that I got green light (please contact
    security@ory.sh) from the maintainers to push
    the changes.
  • I have added tests that prove my fix is effective or that my feature
    works.
  • I have added or changed the documentation.

@robhinds
Adding a line about CSRF cookie problems
bc96314 
Issue I experienced today, running Hydra 1.4.10 in dangerous HTTP mode, the CSRF cookie defaulted to SameSite=None, but the cookie was not marked as secure (which makes sense, as Hydra is running over HTTP), so the cookie gets ignored (and was getting CSRF value not present errors).

I was able to get around it by either overriding the SameSite setting, or by switching to TLS termination.
@CLAassistant
Copy link

CLAassistant commented May 5, 2020
edited

CLA assistant check
All committers have signed the CLA.

@robhinds robhinds changed the title Adding a line about CSRF cookie problems docs: Adding details about CSRF cookie problems May 5, 2020
@aeneasr aeneasr merged commit 697b0f5 into ory:master May 6, 2020
@aeneasr
Copy link
Member

aeneasr commented May 6, 2020

Thank you!

@aeneasr aeneasr mentioned this pull request May 6, 2020
Closed
@robhinds robhinds deleted the patch-1 branch May 6, 2020 08:18
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers
No reviews
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@robhinds @CLAassistant @aeneasr