SameSite cookies about ltijs HOT 6 CLOSED

I noticed the sameSite option in onConnect(), but it's too late. This is happening at the /login stage.

I'm not sure what externalRequest is meant to do when calling validUrl, but it's clearly not triggering for me, when it looks like it should.

I'll put some more debug tomorrow, and get back to you with more details about my exact use case.

from ltijs.

@esellin Hello, i used to set sameSite to 'None' everytime, but in new versions of chrome, cookies containing sameSite but without the secure flag are not allowed. So now i let the user decide this flag, and only set it automatically if the tool detects an external request.

You can set the flag in the onConnect method:

lti.onConnect((connection, request, response) => {
    // Call redirect function
    lti.redirect(response, '/main')
  }, {sameSite: 'None'})

I should have drawn attention to that in the documentation update, my bad.

from ltijs.

@esellin I know it's confusing, but even the cookies at the login stage are managed by the options on onConnect, bad decision early in the project, moving them could potentially break peoples code so i havent done it yet, In future versions these configurations will be moved to the main constructor (I'll probably just keep the options at onConnect as depecrated options, to maintain retrocompatibility).

Can you try setting sameSite: 'None' in the onConnect method and tell me if it works?

(I also dont understand how the sameSite flag can cause errors in the login stage, the only cookies set are the state and iss validation cookies, and they shouldnt need the flag to work since theoretically they are not cross domain, anyway, thanks for reporting this issue, ill look into it, feel free to share more details of the current situation before adding the sameSite:None flag)

from ltijs.

It's working with sameSite: 'None' in the onConnect() options, thanks!

I think these cookies are cross-site cookies, because they're being sent to https://tool while the browser address bar is showing https://platform. Check out https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

Thanks anyway!

from ltijs.

I'll consider how to move forward with this issue. I dont want to set sameSite automatically because in newer versions of chrome it requires the secure flag, which would make local testing without https impossible. But i also don't want to break login if sameSite is not present.
I'll run some tests and try to come up with a solution (maybe change how i validate the login parameters?). I'll keep this issue open while i work on this to avoid duplicates.

from ltijs.

This issue is now fixed in version 3.5. I'm using the database to store the validation information, it's more reliable and does not have the cors restriction that caused the problems.
I also moved the cookie configurations to the main constructor, but kept the old parameters in the onConnection method to avoid breaking older code.

from ltijs.