"Remember my username" does not work in simplesamlphp2.0.2.

[sinbino]

Describe the bug
"Remember my username" does not work in simplesamlphp2.0.2.

To Reproduce
Steps to reproduce the behavior:

1. go to the simplesamlphp login screen.
2. Enter your user name.
3. Check "Remember my username".
4. Press the login button.
5. When the login screen is displayed again, the user name is cleared.

Expected behavior
If the login screen appears again, the previously entered user name is pre-populated.

Screenshots or logs
N/A

Additional context
simplesamlphp is trying to set the username cookie in the response header when posting the login screen form, but it is failing.

My browser (Chrome/111.0.5563.111) is displaying the following error in set-cookie.
This attempt to set a cookie via a Set-Cookie header was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".

In previous versions of simplesamlphp (e.g. 1.19.1) the Remember username cookie was set as follows
set-cookie: mymodule-username=blah; expires=Thu, 28-Mar-2024 03:30:02 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Lax

In simplesamlphp 2.0.2 the Remember username cookie is set as follows
set-cookie: mymodule-username=blah; expires=Thu, 04-May-2023 15:26:37 GMT; Max-Age=3153600; path=/; httponly; samesite=none

The cookie with samesite=none is not accepted by the browser because security is not set, thus the "Remeber my username" is not working.
There does not seem to be a config in simplesamlphp 2.0.2 that can control the secure and samesite flags of the Remember username cookie.

[andreaswig]

It seems that in 2.0.3, SimpleSAMLphp is not even trying to set the cookie if a username or password is
set. '$t->headers->setCookie($cookie);' in line 306 of the core-Controller 'Login.php' is not reached then.

[thijskh]

Thanks, a PR to fix this bug would be most appreciated.

[tvdijen]

There does not seem to be a config in simplesamlphp 2.0.2 that can control the secure and samesite flags of the Remember username cookie.

I don't think it's desirable to add this setting for every individual cookie. You should probably configure your PHP-installation to default to true here.

edit : Could you try this patch to see if it changes anything for you?

[sinbino]

@tvdijen
Sorry it has taken so long to reply.
I have tried the patch, but it still does not seem to set the cookie.

[sinbino]

I tried to trace with v2.0.4.

modules/core/src/Controller/Login.php#136 - ENTRY Login::handleLogin
modules/core/src/Controller/Login.php#226 - CALL UserPassBase::handleLogin
modules/core/src/Auth/UserPassBase.php#284 - ENTRY UserPassBase::handleLogin
modules/core/src/Auth/UserPassBase.php#317 - CALL Auth\Source::completeAuth

completeAuth function throws an exception and NEVER RETURNS

The code where the cookie is set is after modules/core/src/Controller/Login.php#226 and appears to never be reached if the login is successful.

[tvdijen]

I'm a bit confused now... Where did the blocked cookie messages in your first post come from if the code is never reached?

I think I've fixed it now, but I must say I haven't tested it yet;
8bfdec2

[MaximilianKresse]

I stumbled over this bug too in SimpleSAML 2.1.0.

There does not seem to be a config in simplesamlphp 2.0.2 that can control the secure and samesite flags of the Remember username cookie.

I don't think it's desirable to add this setting for every individual cookie. You should probably configure your PHP-installation to default to true here.

edit : Could you try this patch to see if it changes anything for you?

This patch fixes the problem for me. The main problem is clearly that you set a SameSite 'none' cookie (on some user agents) without setting it to secure. This fix should go back into the main code - I'm a little bit shocked that it wasn't yet even if this bug report is already 6 months old.

Edit: Ok this problem seems to much more difficult to solve then expected... With this fix it only remembers the username if the authentification was not successful! Some informations about my setup first - I use SimpleSAML as an IDP and use an extended UserPassBase as authentification method. So after a successful login the client should be redirected to the SP.

The problem here is that UserPassBase::handleLogin does not return if the login is successful but instead directly sends the response by itself without any knowledge about the remember_username cookies. This happens in this method here: Source::loginCompleted()
I have no clue how to solve this without ripping everything apart 😕 The only hacky solution may be some kind of registry of cookies to send.

[tvdijen]

Correct, it is impossible to fix this right now without breaking backwards compatibility.
It was fixed in master, but that's really not an option to use due to major redesign / work-in-progress.

The referred patch did more harm then good, so I believe it was reverted days after.
I hope after your shock settles you understand why this is still open 6 months after.