Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Third-party sessions/cookies breaking because of browser upgrades #94

Open
jrwdunham opened this issue Mar 28, 2020 · 0 comments
Open

Third-party sessions/cookies breaking because of browser upgrades #94

jrwdunham opened this issue Mar 28, 2020 · 0 comments
Assignees
@jrwdunham
Labels
bug

Comments

@jrwdunham
Copy link
Member

jrwdunham commented Mar 28, 2020
edited
Loading

As of Feb/Mar 2020, modern browsers are not allowing third-party cookies unless they have secure=True and samesite=None. Thus OLDs are breaking: users can login but no subsequent requests work, because those subsequent requests cannot send cookies. In this OLD, the fix should be in env-old/lib/python2.7/site-packages/onlinelinguisticdatabase/config/middleware.py:

app = SessionMiddleware(
    app,
    config,
    samesite='None',
    secure=True)

Beaker also needs to be updated to 1.10.0. See https://beaker.readthedocs.io/en/latest/changes.html. Use something like:

./env-old/bin/pip2.7 install beaker==1.10.0

To reproduce the error on a Chrome browser that is not currently exhibiting it, navigate to chrome://flags/, and search for samesite. Then set the following two settings to Enabled: SameSite by default cookies and Cookies without SameSite must be secure.
@jrwdunham jrwdunham self-assigned this Mar 28, 2020
@jrwdunham jrwdunham added the bug label Mar 28, 2020
jrwdunham added a commit that referenced this issue May 27, 2020
@jrwdunham
Fix Beaker cookie-based sessions
1ce3e90 
- Resolves #94.
This was referenced May 27, 2020
Merged
Draft
jrwdunham added a commit to dativebase/old-pyramid that referenced this issue May 27, 2020
@jrwdunham
Add commented-out WIP fix for session-based cookie issue 94
a7cc0fe 
- Cf. dativebase/old#94
jrwdunham added a commit to dativebase/old-pyramid that referenced this issue Jan 16, 2022
@jrwdunham
Set session secure and samesite attrs
c56ba79 
- Modify config.ini:
  - Set session.secure = true
  - Set session.samesite = None
- See this issue in the original OLD: dativebase/old#94.
@jrwdunham jrwdunham mentioned this issue Jan 16, 2022
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@jrwdunham jrwdunham

Labels
bug
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jrwdunham