New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
"Remember my username" does not work in simplesamlphp2.0.2. #1796
Comments
It seems that in 2.0.3, SimpleSAMLphp is not even trying to set the cookie if a username or password is |
Thanks, a PR to fix this bug would be most appreciated. |
I don't think it's desirable to add this setting for every individual cookie. You should probably configure your PHP-installation to default to edit : Could you try this patch to see if it changes anything for you? |
@tvdijen |
I tried to trace with v2.0.4. modules/core/src/Controller/Login.php#136 - ENTRY Login::handleLogin completeAuth function throws an exception and NEVER RETURNS The code where the cookie is set is after modules/core/src/Controller/Login.php#226 and appears to never be reached if the login is successful. |
I'm a bit confused now... Where did the blocked cookie messages in your first post come from if the code is never reached? I think I've fixed it now, but I must say I haven't tested it yet; |
I stumbled over this bug too in SimpleSAML 2.1.0.
This patch fixes the problem for me. The main problem is clearly that you set a SameSite 'none' cookie (on some user agents) without setting it to secure. This fix should go back into the main code - I'm a little bit shocked that it wasn't yet even if this bug report is already 6 months old. Edit: Ok this problem seems to much more difficult to solve then expected... With this fix it only remembers the username if the authentification was not successful! Some informations about my setup first - I use SimpleSAML as an IDP and use an extended UserPassBase as authentification method. So after a successful login the client should be redirected to the SP. The problem here is that UserPassBase::handleLogin does not return if the login is successful but instead directly sends the response by itself without any knowledge about the remember_username cookies. This happens in this method here: Source::loginCompleted() |
Correct, it is impossible to fix this right now without breaking backwards compatibility. The referred patch did more harm then good, so I believe it was reverted days after. |
Describe the bug
"Remember my username" does not work in simplesamlphp2.0.2.
To Reproduce
Steps to reproduce the behavior:
Expected behavior
If the login screen appears again, the previously entered user name is pre-populated.
Screenshots or logs
N/A
Additional context
simplesamlphp is trying to set the username cookie in the response header when posting the login screen form, but it is failing.
My browser (Chrome/111.0.5563.111) is displaying the following error in set-cookie.
This attempt to set a cookie via a Set-Cookie header was blocked because it had the "SameSite=None" attribute but did not have the "Secure" attribute, which is required in order to use "SameSite=None".
In previous versions of simplesamlphp (e.g. 1.19.1) the Remember username cookie was set as follows
set-cookie: mymodule-username=blah; expires=Thu, 28-Mar-2024 03:30:02 GMT; Max-Age=31536000; path=/; secure; HttpOnly; SameSite=Lax
In simplesamlphp 2.0.2 the Remember username cookie is set as follows
set-cookie: mymodule-username=blah; expires=Thu, 04-May-2023 15:26:37 GMT; Max-Age=3153600; path=/; httponly; samesite=none
The cookie with samesite=none is not accepted by the browser because security is not set, thus the "Remeber my username" is not working.
There does not seem to be a config in simplesamlphp 2.0.2 that can control the secure and samesite flags of the Remember username cookie.
The text was updated successfully, but these errors were encountered: