Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Revert "authenticate,proxy: add same site lax to cookies" #2203

Merged
merged 1 commit into from
May 14, 2021
Merged

Revert "authenticate,proxy: add same site lax to cookies" #2203

merged 1 commit into from
May 14, 2021

Conversation

desimone
Copy link
Contributor

Reverts #2159

Summary

In certain situations, when Pomerium is paired with additional single-sign-on (SSO) systems (e.g. SAML) which perform a POST following authentication, the _pomerium session could would not be set, and would result in an erroneous / blocking redirect flow loop.

Next steps

We should allow user's to set their desired SameSite value as an option, and default to None.

Q: What is the Lax + POST mitigation?
This is a specific exception made to account for existing cookie usage on some Single Sign-On implementations where a CSRF token is expected on a cross-site POST request. This is purely a temporary solution and will be removed in the future. It does not add any new behavior, but instead is just not applying the new SameSite=Lax default in certain scenarios.
Specifically, a cookie that is at most 2 minutes old will be sent on a top-level cross-site POST request. However, if you rely on this behavior, you should update these cookies with the SameSite=None; Secure attributes to ensure they continue to function in the future.

@desimone desimone added bug Something isn't working backport 0-14-0 labels May 14, 2021
@desimone desimone requested a review from a team as a code owner May 14, 2021 22:27
@desimone desimone requested a review from calebdoxsey May 14, 2021 22:27
@codeclimate
Copy link

codeclimate bot commented May 14, 2021

Code Climate has analyzed commit da92cb4 and detected 0 issues on this pull request.

View more on Code Climate.

@desimone desimone merged commit 51655a5 into master May 14, 2021
@desimone desimone deleted the revert-2159-cdoxsey/379-same-site branch May 14, 2021 22:36
github-actions bot pushed a commit that referenced this pull request May 14, 2021
@desimone @github-actions
Revert "authenticate,proxy: add same site lax to cookies (#2159)" (#2203
25e5076 
)

This reverts commit d9cc26a.
@github-actions github-actions bot mentioned this pull request May 14, 2021
Merged
desimone added a commit that referenced this pull request May 17, 2021
@github-actions @desimone
Revert "authenticate,proxy: add same site lax to cookies (#2159)" (#2203
fec57f4 
) (#2204)

This reverts commit d9cc26a.

Co-authored-by: bobby <1544881+desimone@users.noreply.github.com>
@desimone desimone mentioned this pull request May 17, 2021
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@calebdoxsey calebdoxsey calebdoxsey approved these changes

Assignees
No one assigned
Labels
backport 0-14-0 bug Something isn't working
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
2 participants
@desimone @calebdoxsey