Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Cookies with samesite=none must have the secure attr set #570

Merged
merged 2 commits into from
Jan 5, 2022
Merged

Cookies with samesite=none must have the secure attr set #570

merged 2 commits into from
Jan 5, 2022

Conversation

adamjmcgrath
Copy link
Contributor

Description

Fix issue where transient and session cookies weren't cleared when SameSite=None

If SameSite=None is set, the cookie Secure attribute must also be set (or the cookie will be blocked)
https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#none

References

fixes #569

Testing

  • This change adds test coverage for new/changed/fixed functionality

Checklist

  • I have added documentation for new/changed functionality in this PR or in auth0.com/docs
  • All active GitHub checks for tests, formatting, and security are passing
  • The correct base branch is being used, if not main

@adamjmcgrath adamjmcgrath added the review:medium Medium review label Jan 4, 2022
@adamjmcgrath adamjmcgrath requested a review from a team as a code owner January 4, 2022 13:06
Widcket
Widcket reviewed Jan 4, 2022
View reviewed changes
src/auth0-session/utils/cookies.ts
@@ -22,5 +22,17 @@ export const set = (res: ServerResponse, name: string, value: string, options: C
};

export const clear = (res: ServerResponse, name: string, options: CookieSerializeOptions = {}): void => {
set(res, name, '', { ...options, maxAge: 0 });
const { domain, path, secure, sameSite } = options;
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

sameSite is not being passed to set, because it's never added to clearOptions.

Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ooops didn't see you had already closed the PR.

Copy link
Contributor Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

That's intentional - you only need to pass path and domain (and sometime secure) when clearing the cookie, I'm just closing this because I can't reproduce #569 on https://localhost and I'm doing a bit more investigation

@adamjmcgrath
Copy link
Contributor Author

Update: reproduced #569 in an iframe and verified the fix in https://codepen.io/adamjmcgrath/pen/bGoKBMW

@adamjmcgrath adamjmcgrath reopened this Jan 5, 2022
@adamjmcgrath adamjmcgrath merged commit 8878974 into main Jan 5, 2022
@adamjmcgrath adamjmcgrath deleted the clear-cookie-samesite branch January 5, 2022 12:09
@adamjmcgrath adamjmcgrath mentioned this pull request Jan 6, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@Widcket Widcket Widcket approved these changes

Assignees
No one assigned
Labels
review:medium Medium review
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

Clearcookie Doesn't Respect AUTH0_COOKIE_SAME_SITE
2 participants
@adamjmcgrath @Widcket