Cookie SameSite=None issue in Google Chrome

Cookie SameSite=None issue in Google Chrome

by Joaquín Acevedo -
Number of replies: 4

Hi guys!

I need to redirect domain/folder to subdomain.anotherdomain without change the first url, domain/folder. In www.domain.com I have a WordPress site and in subdomain.anotherdomain a Moodle site (3.8.2). By that, only domain/folder must have a redirect, not the domain or domain/other_folder.

Well, I found that I can use an iFrame, with the url to my Moodle site, then I active "allowframembedding" in Moodle. Look nice, but I found a problem. With Google Chrome I can log in Moodle (from domain/folder). In the Google Chrome console I can see

A cookie associated with a cross-site resource at anotherdomain was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`.

I read the fix in the tracker MDL-67175. The line 314 with

session_set_cookie_params(0, $CFG->sessioncookiepath, $CFG->sessioncookiedomain, $cookiesecure, $CFG->cookiehttponly);

dont work?? never mark the cookie with samesite=none and secure. I fix that line, but dont allow me login from any url. Bad patch lol.

Well, any idea?

Many thanks in advance.

Average of ratings: -
In reply to Joaquín Acevedo

Re: Cookie SameSite=None issue in Google Chrome

by Mike Young -

Hi Joaquín! Having a similar issue with a Moodle install I work on, and I'm trying to figure out the problem.

This has been around for a while, but I think it might be more frequent because Google just rolled out enforcement of this SameSIte stuff for Chrome 80+ on August 11th: https://www.chromium.org/updates/same-site.

Do you know which version of PHP are you running? If you're running 7.3 or higher, the cookie-setting code is not line 314 but rather these lines: https://github.com/moodle/moodle/blob/9ce2442ea91d7872a37e7d434d29ba2baf4671a5/lib/classes/session/manager.php#L296-L310.

What's happening for me is that this is working on one site running PHP 7.3. and Moodle 3.8.2 20200309, but it's not working on another with the same specs. ¯\_(ツ)_/¯ Trying to figure out if it's a difference in the PHP environments etc. Will keep you posted if I discover anything! =)

Average of ratings: -
In reply to Mike Young

Re: Cookie SameSite=None issue in Google Chrome

by Joaquín Acevedo -

Hi Mike!

In this particular web server I´m running PHP 7.1.33, by that the line 314 should do the work for me. Accordint to thisthe function

session_set_cookie_params(with five parameters)

dont set the same-site value, I tried with

session_set_cookie_params( array $options )

and it break up, maybe because a have PHP 7.1.33, I dont known. I tryed to pass the parameter in other form and work! :D no more problem with "same-site" issue with Google Chrome, until I try to login in Moodle. The login don´t work, in Opera browser neither. Ups.

In your case, what are you seeing in the console of Google Chrome? in my case I see the "same-site" issue, next I fix it, and see a new issue "secure" (it´s needed for the cookie), next I fix it, and see a new issue "SSL certificate" (it´s needed for the site now) and next I found the problem of do not login in Opera browser.

If you have any clue, let me know, see you!

Average of ratings: -
In reply to Joaquín Acevedo

Re: Cookie SameSite=None issue in Google Chrome

by Mike Young -
Hey Joaquín!

Strange! I did manage to fix my PHP 7.3 troubles, but it sounds like you've got something else going on. 

Some ideas:

MAYBE NOT AN IFRAME AFTER ALL

Reading through your original question again, I'm actually not sure if the iframe solution is your best move here. It might be simpler to add a redirect through your server.

If you're running Apache, you can do a mod_rewrite in an .htaccess file in domain/folder: https://stackoverflow.com/questions/31324928/redirecting-from-one-domain-to-another-with-mod-rewrite?rq=1. If you're running nginx, there's this: https://www.digitalocean.com/community/questions/enabling-nginx-mod_rewrite. If you're running something else, you can prolly Google for the mod_rewrite equivalent and figure it out from there. =) If you do it correctly, you won't need to embed Moodle in an iframe at all, and the end user won't know the difference.

IF YOU ABSOLUTELY NEED AN IFRAME

Of course, maybe I'm missing something and you really need an iframe! In that case, I'd suggest reverting any changes you might've made to lib/classes/session/manager.php, since the 3.8.2 code should work if I'm understanding your desired application correctly (serving Moodle, which is located in subdomain.anotherdomain, in an iframe from a page in domain/folder).

If Moodle is running on a server with PHP 7.1, here's what happens in manager.php:

  1. The session starts in start()
  2. prepare_cookies is called in start(), and because you're on PHP 7.1, session_set_cookie_params is called on line 314 properly for PHP 7.1 (which doesn't allow for the array of options signature; that didn't show up until 7.3; see the changelog on https://www.php.net/manual/en/function.session-set-cookie-params.php), and samesite isn't addressed at all in the session_set_cookies_params call.
  3. A few lines later in start(), initialise_user_session gets called, and at the end of that function, the hack that was added for Moodle 3.8.2 gets called: append_samesite_cookie_attribute. This is what Moodle uses to append the samesite attribute onto cookies for PHP versions less than 7.3.
  4. append_samesite_cookie_attribute checks to make sure the samesite stuff is necessary by checking should_use_samesite_none, and if it is, it appends "; SameSite=None" to the Set-Cookie header for all session_name() cookies.
So your problem would be somewhere in that sequence—perhaps should_use_samesite_none is returning false because you aren't using secure cookies? You can make sure secure cookies are on in admin/settings.php?section=httpsecurity (they're on by default). You should also check your php.ini, which is how I solved my problem.

HOW I FIXED MY PROBLEM (PHP 7.3)

Even tho my fix for my issue was for PHP 7.3, it might also be relevant/helpful for you (or for anybody else reading this after a Google!). From what I understand, your session.cookie settings in local or main php.ini files override whatever you set through script for individual cookies (reference), so session variables you set there would override Moodle's settings and attempts.

So in your case, you'd want to make sure something in your php.ini isn't overriding secure cookies by setting session.cookie_secure to 0 or Off. If you want to ensure secure cookies, you'd put this in your php.ini:

session.cookie_secure = 1

In my case, the problem was with session.cookie_samesite (only available in >= PHP 7.3) in a main php.ini file, where it was being set like this:

session.cookie_samesite = None

and needed to be set like this:

session.cookie_samesite = "None"

Because none without quotes means false in PHP ini files, and if you set it to false, you're unsetting it, which makes PHP not send the samesite attribute at all, and Chrome 80+ assumes that a missing samesite attribute means samesite=Lax  ¯\_(ツ)_/¯ (reference).

***

Hope something in all that helps! =) The tl;dr: don't mess with manager.php, revert any changes you made there, maybe look into doing a mod_rewrite redirect instead of serving Moodle in an iframe, and if that isn't an option for some reason, check your php.ini files.
Average of ratings: Useful (1)
In reply to Mike Young

Re: Cookie SameSite=None issue in Google Chrome

by Mike Young -
p.s. quick clarification: even if you set session.cookie_secure = 1 in your php.ini, you'd still want to make sure $CFG->cookiesecure was set and true either through your admin settings or in your config.php.

Because otherwise is_moodle_cookie_secure() wouldn't return true, so neither would should_use_samesite_none(), and append_samesite_cookie_attribute() wouldn't append the SameSite=None onto the cookies. =)
Average of ratings: Useful (1)