-
Notifications
You must be signed in to change notification settings - Fork 85
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Getting csrf_attack exception in callback but only on Safari and Safari Mobile #86
Comments
I tried to debug the issue and basically it looks like the strategy is writing the It looks like the server is not getting everything for some reasons. The weird thing is that it's only happening on my side with latest Safari and Safari Mobile. |
I am seeing the same problem sporadically but I can't pinpoint it to a specific browser/os. @nicolasblanco were you able to find the exact cause of the issue? |
I faced similar issue in chrome today, the code was working fine last month. Then I tried using https in my dev environment and makes the GOOGLE_REDIRECT_URI to point to https and it worked again. |
On my side I was getting this exception both on local dev and on production where all my servers and redirect links are on HTTPS, so it's not only related to HTTPS in my opinion. Also, I'm getting this exception all times and not sporadically on Safari and Safari Mobile. |
If anyone is still experiencing this issue, I would be curious to know whether the browser is sending the |
still have this issue, tried changing samesite to none; strict but still had the same issues, fails in all browsers, the default on most browsers changed from none to lax by default so im thinking the problem has something to do with that samesite=Lax is appended to the set-cookie header |
If you have the opportunity, can you open the network inspector (in the settings, "preserve logs"), and copy the Set-Cookie response header here? That would help us diagnose this. Changing SameSite to None may not work if your endpoint thinks it is operating over http instead of https. Plug will automatically set the "Secure" attribute on the cookie accordingly. This can happen, for example, if you terminate SSL and do not have a header informing Plug of the original protocol. |
heres the entire auth flow HTTP/2 302 Found GET /login/oauth/authorize?client_id=Iv1.2f81a316e8262411&redirect_uri=&response_type=code&scope=user%3Aemail HTTP/2 HTTP/2 302 Found GET /auth/github/callback?code=9898f57bd64bc1506454 HTTP/2 HTTP/2 302 Found |
(Note: the above requests show a request for GitHub OAuth, not Google. Still going to look through it.) Looking at the above, and searching specifically for
This is where Ueberauth clears the state cookie after the callback is complete (regardless of success or failure). I don't see where this state cookie is being set during the request phase. If you go to the network tab and look at the original request to Sidenote: for safety, I recommend logging out of the GitHub session you used to generate the above trace, just in case someone tries to use your session cookies for something nefarious. |
the only warning i see is Cookie “__session_key” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”. This means that the cookie will no longer be sent in third-party contexts. If your application depends on this cookie being available in such contexts, please add the “SameSite=None“ attribute to it. To know more about the “SameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Headers/Set-Cookie/SameSite so im assuming this is the error but where do i add the samesite attribute, ive tried in the config to no avail, thanx for looking at this even tho its across application bounds, it seems as multiple ueberauth plugins are having the same issue and this had the most traction |
Just sharing based on my past experience, first some general things to check (for anyone reading) and then some specific thoughts for the above conversation. General Notes:
Specifics:
|
i fixed this by noticing my callback was running 2x, this was due to a failure in the callback of the controller i was running returning an unexpected response so wasnt technically failing but ueberauth wasnt setting the cookie |
Hello folks.
Right now I'm getting:
but only on Safari and Safari Mobile.
Everything is working fine on Chrome and Firefox.
I'm trying to inspect what is done differently in this browser...
The text was updated successfully, but these errors were encountered: