[Bug 26019] New: Koha should set SameSite attribute on cookies

classic Classic list List threaded Threaded
13 messages Options
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] New: Koha should set SameSite attribute on cookies

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

            Bug ID: 26019
           Summary: Koha should set SameSite attribute on cookies
 Change sponsored?: ---
           Product: Koha
           Version: master
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5 - low
         Component: System Administration
          Assignee: [hidden email]
          Reporter: [hidden email]
        QA Contact: [hidden email]
                CC: [hidden email]

Browsers are starting to show warnings about this attribute missing.

https://web.dev/samesite-cookies-explained/

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] Koha should set SameSite attribute on cookies

bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

Tomás Cohen Arazi <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           See Also|                            |https://bugs.koha-community
                   |                            |.org/bugzilla3/show_bug.cgi
                   |                            |?id=25360

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] Koha should set SameSite attribute on cookies

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

David Cook <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--
You are receiving this mail because:
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] Koha should set SameSite attribute on cookies

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

--- Comment #1 from David Cook <[hidden email]> ---
I'm more interested in this one now after replying to your comment on Bug
25360.

I figure CGISESSID should be SameSite=Lax, but maybe other cookies could be
SameSite=Strict.

That being said... even things like "intranet_bib_list" it would be good to
send as SameSite=Lax, because they affect the display of the landing page if
you're already authenticated and you're going to
/cgi-bin/koha/catalogue/search.pl?q=test (in say a new tab for instance).

I imagine this one will need a lot of thinking...

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] Koha should set SameSite attribute on cookies

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

Marcel de Rooy <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |[hidden email]

--- Comment #2 from Marcel de Rooy <[hidden email]> ---
Why wouldnt we add a preference like SameSiteCookie to include cookie names
that do not want to default to Lax ?

So e.g. SameSiteCookie = cookieA:None, cookieB:Strict
CookieA and CookieB should respond to the pref and the other ones default to
Lax? Which is becoming the behavior in most browsers? Or even add the fallback
in the pref itself?

We could add a wrapper around CGI->cookie to set it.
Koha::Cookie->new({ attributes })->generate ?

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] Koha should set SameSite attribute on cookies

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

--- Comment #3 from David Cook <[hidden email]> ---
(In reply to Marcel de Rooy from comment #2)
> Why wouldnt we add a preference like SameSiteCookie to include cookie names
> that do not want to default to Lax ?

Why should we let librarians determine cookie settings? It seems to me that we
as developers are best suited to making those choices?

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] Koha should set SameSite attribute on cookies

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

--- Comment #4 from Marcel de Rooy <[hidden email]> ---
(In reply to David Cook from comment #3)
> (In reply to Marcel de Rooy from comment #2)
> > Why wouldnt we add a preference like SameSiteCookie to include cookie names
> > that do not want to default to Lax ?
>
> Why should we let librarians determine cookie settings? It seems to me that
> we as developers are best suited to making those choices?

I agree that most librarians would not. But we have more preferences that
should be set by sysadmins. But surely, we could move them to koha-conf.xml.
Risking the argument that people want to change them and have no access..

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] Koha should set SameSite attribute on cookies

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

--- Comment #5 from Tomás Cohen Arazi <[hidden email]> ---
(In reply to David Cook from comment #3)
> (In reply to Marcel de Rooy from comment #2)
> > Why wouldnt we add a preference like SameSiteCookie to include cookie names
> > that do not want to default to Lax ?
>
> Why should we let librarians determine cookie settings? It seems to me that
> we as developers are best suited to making those choices?

I think we should provide a sane default, and probably have a separate tab for
'Risky area'.

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] Koha should set SameSite attribute on cookies

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

--- Comment #6 from David Cook <[hidden email]> ---
But what's the use case for a Koha staff user changing the SameSite value for a
cookie?

Due to deep linking (e.g. linking to a search result page and visiting it as an
authenticated user), I can't think of a case off the top of my head that
shoulnd't be SameSite=Lax.

With SameSite=None, we'd be letting any site send that cookie. I can't see any
reason to do that. We wouldn't be creating tracking cookies, and I don't know
why we'd let another site send a cookie to Koha via a background call.

SameSite=Strict sounds good in theory for internal cookie usage, but - due to
that deep linking I mentioned - every cookie I can think of should be sendable
when externally navigating to the site. That said, I'd be willing to test this
theory to try to prove it wrong. I have a feeling that using SameSite=Strict
would break a lot of Koha functionality when navigating directly to a page
(like search results), but I'm happy to be proven wrong.

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] Koha should set SameSite attribute on cookies

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

--- Comment #7 from David Cook <[hidden email]> ---
So I'd argue it's not just a case of people creating a security risk by using
SameSite=None, but also a case of people breaking things by using
SameSite=Strict, which really just leaves SameSite=Lax, which is why that's the
default in browsers I imagine.

SameSite=Lax is a sane default.

SameSite=None has no obvious use to me for Koha.

SameSite=Strict... maybe but probably not. The exception being if we re-routed
people through a login page for new navigations, even when authenticated. If
someone clicked a link in their email for
http://localhost:8081/cgi-bin/koha/catalogue/search.pl?q=test, and they already
had a valid Koha session for localhost:8081, we could bounce them through
http://localhost:8081/cgi-bin/koha/mainpage.pl, which would then allow you to
use SameSite=Strict.

But I doubt we're going to change how we handle authentication and navigation
just to use SameSite=Strict.

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] Koha should set SameSite attribute on cookies

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

--- Comment #8 from David Cook <[hidden email]> ---
I've actually been looking for cookies on sites I use, and for the most part I
don't see any actually setting SameSite. (Of course, many of the sites are
using ServiceWorker, and at a glance it's not obvious what it's doing in the
background.)

One exception is a load balancer stickness CORS cookie, AWSALBCORS, which has
"SameSite=None". (More info available at
https://forums.aws.amazon.com/ann.jspa?annID=7413)

Noticing a "SameSite=None" cookie for www.google.com which is a
tracking/targeting/advertising cookie.

--
You are receiving this mail because:
You are watching all bug changes.
You are the assignee for the bug.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] Koha should set SameSite attribute on cookies

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

--- Comment #9 from David Cook <[hidden email]> ---
I notice some console errors saying "A cookie associated with a cross-site
resource at http://youtube.com/ was set without the `SameSite` attribute. A
future release of Chrome will only deliver cookies with cross-site requests if
they are set... with `SameSite=None` and `Secure`."

Is *this* the warning mentioned in
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019#c0?

If so, I think we can safely ignore it, except in cases where we're doing
Cross-Origin Resource Sharing (CORS) requests, but I don't see why we'd be
passing a cookie with a CORS request (unless you were doing a CORS request to
the API with a cookie but that seems problematic and unnecessary since you can
use OAuth2 or Basic Auth for the API).

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/
Reply | Threaded
Open this post in threaded view
|

[Bug 26019] Koha should set SameSite attribute on cookies

bugzilla-daemon
In reply to this post by bugzilla-daemon
https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=26019

--- Comment #10 from David Cook <[hidden email]> ---
Ahhh yes I assume that must be what this is about?

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#Fixing_common_warnings

If the browser is showing this warning for Koha, then we should look at that
particular cookie and its usage. Otherwise, I don't argue that no changes are
necessary.

--
You are receiving this mail because:
You are the assignee for the bug.
You are watching all bug changes.
_______________________________________________
Koha-bugs mailing list
[hidden email]
https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs
website : http://www.koha-community.org/
git : http://git.koha-community.org/
bugs : http://bugs.koha-community.org/