[Koha-bugs] [Bug 33259] Optionally set SameSite attribute of cookie to Strict
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Mar 12 00:26:58 CET 2024
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33259
David Cook <dcook at prosentient.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|Passed QA |In Discussion
--- Comment #53 from David Cook <dcook at prosentient.com.au> ---
Actually, I'm momentarily going to move this to "In Discussion".
I think using a Strict SameSite attribute would break the SSO implementation
especially in terms of CSRF.
You'd have an anonymous session, then you redirect to the IdP, and then you're
redirected back.
Since you're being redirected back via an external site, your browser shouldn't
send the Strict CGISESSID cookie, which means your CSRF validation will fail.
I'll test that in a minute.
We might need to always use a "Lax" SameSite attribute for anonymous sessions.
I'll try to think of any other problem scenarios...
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list