-
-
Notifications
You must be signed in to change notification settings - Fork 436
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Support "SameSite" cookie property #414
Comments
sounds good :) |
Note, PHP 7.3 is now GA and supports SameSite natively (ref(:
So I think the third-party library route should be skipped in favor of just requiring PHP 7.3 (see #129 and #449 as prerequisites) and the question is, make this a default or make it configurable? I propose to make it configurable separately for Admin and Frontend and use "Strict" by default for Admin and "Lax" by default for Frontend. From OWASP:
|
Reference magento/magento2#26377 |
@colinmollenhour Why don't we rewrite the model core/cookie which might be better way of changing this abstract class? |
For the samesite cookie policy means loss of sales since or payment integration with adyen fails with this new policy. In essence it is a catastrophe that Magento does not support this, need to be fixed urgently. |
@othuress Can you submit a PR for the issue as described above? I think we've agreed on what needs to be done so should be quick to get it merged. |
@colinmollenhour What is an PR? This? To solve this issue the SESSION cookie should be set as |
PR - Pull Request - Most of us don't have time dedicated to feature development so if you can contribute a thorough pull request for the issue it will become a reality much faster. :) |
@colinmollenhour I will look into this! |
Is this something to look at (soon)? Just upgraded chrome and getting multiple warnings. We are on php 7.2 ... To get things straight - the problem and solution can be the following? Please edit if incorrect So what I understand is something like this?
Also to be certain of the process: the cookie logic is?
So one would need some logic to
https://stackoverflow.com/a/60716636/1173670 |
I was testing this with PHP 7.4. I set I tried forcing the In While testing payment redirect scenarios the |
In our case under Magento 1.9, nginx, PHP 7.1, where we couldn't really do PHP Our solution was then to update the Magento's |
Thanks for the update. I am trying to understand how "critical" this is (for the PSP issue like Buckaroo linked above I can imagine that case is urgent)? |
@seansan if you do Magento 1 and use third party integrations (which most magento websites do), this is the top priority for now. In our case we still support several Magento 1 clients and this week at least we have four clients reporting this issue, and all are related to payment. Those clients reporting this issue are all using third party credit card payment service where the customer need to be redirected to the bank's payment gateway, then in normal case he will be redirected back to checkout success page upon successful payment. But due to this issue, although order has been successfully placed with confirmed payment, customer was redirected back to empty shopping cart page and logged out automatically (which caused confusion for the customers). |
This is actually an issue with multiple platforms like Prestashop 1.7 and third party payment modules. I can confirm that clients of ours with M1 and Prestashop and customers using Chrome the same thing happens as @adityaputra mentions. |
As mentioned on #922 I think the SameSite=None for payment gateway redirects should be implemented using a separate cookie, one that only authenticates the user on the return page and not in general. This way the primary cookie can be left alone and you aren't giving up 100% of the benefit of the SameSite feature.
Edit: maybe this can be implemented in a generalized way so that it can be used for any situation that uses a redirect back to a specific controller action. For example, the payload could contain "real_session_id:nonce:authorized_controller_action". |
Multiple clients of ours report no payments processed because shop buyers sessions are lost after 3D secure redirection. This is critical because all payments going through 3D secure redirection fail. |
@SarunasCard are they running PHP7.3 - we had the same issue on a client's website but upgrading from PHP 5.6 to PHP7.3 seemed to fix it. |
Thank you @waynetheisinger. This could help few clients. But not everyone can upgrade PHP version (fast) while this issue cause huge amount of lost sales orders every day. And on top of that lots of leaving customers and additional work to manage failing orders. |
* Support SameSite cookie property (fixes issue #414) * Support SameSite cookie property (fixes issue #414) * Open in new tab * Default fallback to None just in case someone forgets to clear cache * * Force secure if SameSite None * SameSite consistency for renew and delete functions * Code formatting #OCD :) * PHP 7.0 compatibility * Fix pipeline errors * Removed incorrect copyright docs
SameSite=None will not work with all web clients, eg Safari has bug: |
luckily safari supports this now |
What are everyone's thoughts on modifying Magento to support the SameSite cookie declaration? This is supported currently by Chrome and Firefox and when set prevents cookies from being sent on requests that did not originate from the same domain and thus is an effective prevention against CSRF. Magento already uses the formkey block for CSRF prevention but it seems every patch adds places where this was missed and that does nothing for third-party code that doesn't implement it. I believe official support will eventually come with PHP 7.3, but until then the cookie header can be set directly, such as with this third-party library: https://github.com/delight-im/PHP-Cookie
With SameSite (and users using supported browsers) the user's cookie would not even be sent to the server so CSRF attempts would be stopped dead at the authentication step for all requests (including GET) rather than depending on the forms and controllers to have implemented formkey (which is only supported for POST).
I am not aware of any way that this would break BC because the class that would need to be modified cannot be rewritten using config.xml as it is only an abstract (in practice) class.
The text was updated successfully, but these errors were encountered: