Django's CSRF protection sets a cookie with the token on response and compares that to the token that is POSTed by the form. It appears in my Facebook Tab app that the csrf cookie is never being set in Safari. I know this has to with Safari's third party cookie policy.
So how are others who are writing Facebook Tab apps or Canvas apps able to set cookies on their app if the user has never visited their domain (which Safari will then allow the setting of the cookie)?
Related
We have implemented a custom sign-up flow (with a custom domain) for our SPA application. It works well on Chrome, but we keep having issues with Safari.
Here is how I currently see the process and where I think we’re experiencing the issue:
We send a request to Auth0 API using our custom form from our SPA
We get redirected to our custom subdomain. Auth0 handles authentication using our subdomain. The user successfully passes Auth0 authentication
The user is getting a cookie from Auth0
After receiving a cookie, Auth0 forwards the user to the app
The issue starts here. We can not see ANY cookies at all on Safari only. If we manually refresh the page, we start seeing ALL cookies including Auth0 cookie with the token
What am I doing wrong? I sit some Safari bug I've never seen before?
I'm testing a website that requires cookies for access tokens. I have valid tokens that I'm setting in Chrome's "Application" tab in developer's tools. However, I can't always add cookies because the page is programmed to redirect if there are no cookies available. Thus, I need to be able to set a cookie with my token for this domain while on another domain's webpage. Is there a way to do this or do I have to be on the same page that I want to set cookies for?
I have a chrome extension which use Oauth to authenticate users. This authentication create cookies which are shared to detect authentication on my other applications.
So when i'm authenticated by oAuth on my extension, i can go on another app and then if i refresh i'm connected without getting login process. This because cookies created by my OAuth process are shared and detected on others app.
This works fine on browser like Mozilla or Opera but don't works on Chrome cause cookies are filtered out with that info message :
this cookie was blocked because its path was not an exact match for or a super directory of the request url's path.(shown on screen by cookies with question mark (AUTH and KEYCLOAK prefixes)
Cookies with AUTH and KEYCLOAK on yellow are filtered out
How could i manage Chrome to accept those cookies ? But more, how could i manage this programmatically on request which have created cookies cause i can't tell my users to modify their Chrome configuration ?
I have a website a.com that has third party app point to apps.b.com. When I login to a.com, I'm also authenticated to apps.b.com in the background using the same credentials. This is so the users do not have to login to access apps.b.com. I understand that browser sends all the cookies to apps.b.com when making the request to it. This is how it works now. Reading the article https://web.dev/samesite-cookies-explained/ in regards to SameSite attribute, it appears apps.b.com is third party site.
Now do I have to configure web server on a.com to set the cookie to SameSite=none;Secure OR do I have to set the SameSite=none;Secure on web server on apps.b.com?
Any time you are making a cross-site request that needs cookies, then those cookies need to be marked SameSite=None; Secure.
So, for example if the user is on a.com and you have an <iframe> or fetch() to apps.b.com that expects cookies, then the apps.b.com cookies need SameSite=None; Secure.
Vice versa, if the user is on apps.b.com and you are making requests to a.com to check their auth status by relying on the a.com cookies, then those cookies need SameSite=None; Secure.
Essentially the pattern you're looking for is when the site in the browser location bar is different to the site that needs the cookies, then those are the cookies that need marking. So, depending on your set up, it may be one or both.
We make react SPA with django-rest-framework on backend and use django-rest-auth for user authentication.
When user has logged in, we show him form for change profile data. When user submit this form, we take csrf token from cookie in login response, and put them in request X-CSRFToken header. Server responses that token is missing or incorrect.
If user refreshed the page, and repeated the same actions, csrf token is correct and profile data is updated.
How to solve this problem and why it occurs?
It looks like this is happening:
The login is successful
The cookie+token is created by the CSRF API and returned to the endpoint
The ready state executes some code not executed after the API response
The certificate is validated and the cookie+token is set in the database/app config/server-side cache during a GET request and/or by the ready state callback
Since there is no GET request until the refresh, the cookie+token is not centrally stored until then. Add a request to mimic what happens during the GET, then store it where it is currently being accessed for subsequent requests.
References
Issues with CSRF token and how to solve them | SAP Blogs
Why refresh CSRF token per form request? - Information Security Stack Exchange
CSRF Protection — Flask-WTF 0.14
CSRFGuard 3 Configuration - OWASP
Spring Security: Cross Site Request Forgery (CSRF)
Cross Site Request Forgery protection | Django documentation | Django
XSRF/CSRF Prevention in ASP.NET MVC and Web Pages | Microsoft Docs
Cross-Site Request Forgery is dead!
Still think you don't need HTTPS?