[Koha-bugs] [Bug 33259] Optionally set SameSite attribute of cookie to Strict
bugzilla-daemon at bugs.koha-community.org
bugzilla-daemon at bugs.koha-community.org
Tue Mar 12 00:55:40 CET 2024
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33259
David Cook <dcook at prosentient.com.au> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|In Discussion |Failed QA
--- Comment #54 from David Cook <dcook at prosentient.com.au> ---
Going to mark this as Failed QA in any case as it doesn't take into account the
CGISESSID cookie created by the OIDC in Koha/REST/V1/OAuth/Client.pm.
--
Also, as I feared, with SameSite of "Strict", OIDC SSO is broken.
--
Interestingly, when Keycloak POSTs a 302 to Koha it doesn't work, but there is
a scenario with Keycloak where a Strict cookie is still sent after a redirect.
If I log into Keycloak first, and then I go to Koha and click "Log in with
Keycloak", I'm redirected from Koha to Keycloak and redirected from Keycloak to
Koha. In this situation where it's two GET 302s in a row, the Strict cookie is
still sent, and I'm logged into Koha using Keycloak.
--
You are receiving this mail because:
You are watching all bug changes.
More information about the Koha-bugs
mailing list