ViaThinkSoft thinkBug  thinkBug v0.16 beta - Build 2024-01-30
<< Zurück zur Projektauswahl | Projekt "OIDplus 2.0" - im Besucher-Modus



This bug tracker is deprecated!
If possible, please report bugs via GitHub.
Confidential bugs can be submitted via contact form.

<< Vorheriger EintragBUG#0000213Nächster Eintrag >>
Bugreport: oauth.php of the login via google plugin csrf_token
Text / Beschreibung:

Hello,

in oauth.php of the login via google plugin:

//_CheckParamExists($_COOKIE, 'csrf_token');
was triggred.

I commented this out as the state check does a kind of session va,lidation already?

regards,
Till

Insgesamt 7 Antwort(en) vorhanden.
Hello Till,

Thank you for your bug report.

"_CheckParamExists" only prevents that PHP will throw an error (revealing the directory of the script) if the key does not exist in $_COOKIE. Nothing wrong with that.

Actually, the issue is a different one!
Previously, the "same site" property of the cookies has been changed from "Lax" to "Strict",
therefore the cookie has vanished if the user is redirected back to the site, which happens during OAuth.
We will fix this.

In the meantime you can fix OAuth by applying:
OIDplus::baseConfig()->getValue('COOKIE_SAMESITE_POLICY', 'Lax')
in your base config.

Maybe we have an idea to solve the issue without switching back to "Lax"?

Take care,
dave

*I meant setValue() of course

Hi,
thank you for your report!
As a quick-n-dirty fix, an error message has been added to the plugin in SVN Rev 563, if the SameSite policy is "Strict" instead of "Lax", until we have a "proper" fix.

Added TODO Entry:
If SameSite=Strict, the OAuth plugins won't work. Maybe we should not use the CSRF-Token cookie, but instead create a new cookie, which is always "Lax" while all others are "Strict"?

Daniel

Hi David, hi Daniel,
I added this to the userdata config.inc.php

OIDplus::baseConfig()->setValue('COOKIE_SAMESITE_POLICY', 'Lax');

However, this did not help, I still have to comment out the csrf check.

Till

Hi Till,

The problem is most likely that you need to wipe your cookies, because the existing CSRF cookie is stored as "Strict", so you need to delete it to make it "Lax" again.

a proper fix has now been uploaded to SVN. Now there are two CSRF cookies, one for AJAX and one for OAuth.

At my test system, it seems to work (started OAuth in Chrome Incognito mode), I can login to OIDplus, but for some reason I get a "HTTP 500" on the 2-factor-authentication screen on my iPhone ?
I will investigate it

Please let mek now if it now works for you, and if you 2-factor-authentication works correctly

Regards,
Daniel

At the second attempt (new incognito window), the 2FA does not display HTTP 500

Hi Daniel,
yes, I think it is working now.

Thank you!!!

Till




thinkBug © 2004 - 2024 ViaThinkSoft
thinkBug Logo © 2008 taccon software project
thinkBug v0.16 beta - Build 2024-01-30