thinkBug v0.16 beta - Build 2024-01-30

<< Zurück zur Projektauswahl | Projekt "OIDplus 2.0" - im Besucher-Modus

This bug tracker is deprecated! If possible, please report bugs via GitHub. Confidential bugs can be submitted via contact form.

<< Vorheriger Eintrag BUG#0000213 Nächster Eintrag >>

Bugreport: oauth.php of the login via google plugin csrf_token Text / Beschreibung: Hello, in oauth.php of the login via google plugin: //_CheckParamExists($_COOKIE, 'csrf_token'); was triggred. I commented this out as the state check does a kind of session va,lidation already? regards, Till Betroffene Komponente: Standard Betroffene Version: 2.x Autor: Gast Bearbeitet von: daniel-marschall Priorität: Niedrig Datum: 9. Mai 2021 18:52 Uhr Bug#: BUG#0000213 Status: RESOLVED Lösung: FIXED Aufgabe gelöst seit: 11. Mai 2021

Insgesamt 7 Antwort(en) vorhanden.

Hello Till, Thank you for your bug report. "_CheckParamExists" only prevents that PHP will throw an error (revealing the directory of the script) if the key does not exist in $_COOKIE. Nothing wrong with that. Actually, the issue is a different one! Previously, the "same site" property of the cookies has been changed from "Lax" to "Strict", therefore the cookie has vanished if the user is redirected back to the site, which happens during OAuth. We will fix this. In the meantime you can fix OAuth by applying: OIDplus::baseConfig()->getValue('COOKIE_SAMESITE_POLICY', 'Lax') in your base config. Maybe we have an idea to solve the issue without switching back to "Lax"? Take care, dave Autor: Gast Datum: 9. Mai 2021 20:19 Uhr

*I meant setValue() of course Autor: Gast Datum: 9. Mai 2021 20:24 Uhr

Hi, thank you for your report! As a quick-n-dirty fix, an error message has been added to the plugin in SVN Rev 563, if the SameSite policy is "Strict" instead of "Lax", until we have a "proper" fix. Added TODO Entry: If SameSite=Strict, the OAuth plugins won't work. Maybe we should not use the CSRF-Token cookie, but instead create a new cookie, which is always "Lax" while all others are "Strict"? Daniel Autor: daniel-marschall Datum: 9. Mai 2021 20:38 Uhr

Hi David, hi Daniel, I added this to the userdata config.inc.php OIDplus::baseConfig()->setValue('COOKIE_SAMESITE_POLICY', 'Lax'); However, this did not help, I still have to comment out the csrf check. Till Autor: Gast Datum: 10. Mai 2021 19:53 Uhr

Hi Till, The problem is most likely that you need to wipe your cookies, because the existing CSRF cookie is stored as "Strict", so you need to delete it to make it "Lax" again. a proper fix has now been uploaded to SVN. Now there are two CSRF cookies, one for AJAX and one for OAuth. At my test system, it seems to work (started OAuth in Chrome Incognito mode), I can login to OIDplus, but for some reason I get a "HTTP 500" on the 2-factor-authentication screen on my iPhone ? I will investigate it Please let mek now if it now works for you, and if you 2-factor-authentication works correctly Regards, Daniel Autor: daniel-marschall Datum: 10. Mai 2021 20:56 Uhr

At the second attempt (new incognito window), the 2FA does not display HTTP 500 Autor: daniel-marschall Datum: 10. Mai 2021 20:58 Uhr

Hi Daniel, yes, I think it is working now. Thank you!!! Till Autor: Gast Datum: 11. Mai 2021 14:16 Uhr

thinkBug © 2004 - 2025 ViaThinkSoft
thinkBug Logo © 2008 taccon software project
thinkBug v0.16 ^beta - Build 2024-01-30