如何在使用 SameSite=Strict 的 OAUTH2 之后重定向并仍然获取我的 cookie? [英] How can I redirect after OAUTH2 with SameSite=Strict and still get my cookies?
问题描述
今天!进一步40781534,为其设置可接受的答案SameSite=Lax:
G'day! Further to 40781534, for which the accepted answer is to set SameSite=Lax:
如何在重定向到自己时设置 SameSite=Strict cookie,以便我可以从 Chrome 56.0.2924.87 取回 cookie,即使用户的请求本身就是从我的 OAUTH2 提供商的登录页面重定向的?
How can I set SameSite=Strict cookies on a redirection to myself in such a way that I'll get the cookie back from Chrome 56.0.2924.87, even if the user's request was itself a redirection from a login page on my OAUTH2 provider?
完整的请求链是:
POST https://provider.com/callback→302 FOUND使用:
Location: https://me/login?code=xxx&state=yyy
GET https://example.com/login?code=xxx&state=yyy → 302 FOUND 或 303 查看其他代码>(似乎无关紧要)与:
GET https://example.com/login?code=xxx&state=yyy → 302 FOUND or 303 SEE OTHER (doesn't seem to matter) with:
Location: https://example.com/destination
Set-Cookie: sid=zzzz; Secure; HttpOnly; SameSite=Strict; Path=/
GET https://example.com/destination → 401 GET OFF MY LAWN 因为浏览器没有显示 sid cookie
GET https://example.com/destination → 401 GET OFF MY LAWN because the browser didn't present the sid cookie
GET https://example.com/destination → 200 OK 如果我刷新,因为那时站点是相同的并且我的浏览器显示 <代码>sid cookie
GET https://example.com/destination → 200 OK if I refresh, because then the site is the same and my browser presents the sid cookie
我很欣赏将 sid 呈现给 /destination 的 CSRF 潜力,用于用户最后加载的页面不在 example.com,但我只是从 /login 设置它,我现在重定向到 /destination.
I appreciate the CSRF potential of presenting sid to /destination for the general case of the user's last loaded page not being on example.com, but I only just set it from /login, and I'm the one now redirecting to /destination.
当然,我可以设置 SameSite=Lax,但是如果有人能找到某种方法来触发他们选择的从我的网站重定向的恶意行为,那么就不会存在点击劫持的可能性-形成网址?
Sure, I could set SameSite=Lax, but then wouldn't there be some potential for click-jacking if someone could find some way to trigger redirection of their choice from my site by mal-forming a URL?
推荐答案
我认为出于安全原因不能这样做.SameSite=Strict 意味着如果用户已被重定向或只是点击了指向您网站的链接(来自其他主机),则不应发送 cookie.重定向就像链接"请求.因此,如果您的服务器重定向到另一个服务器并且该服务器立即使用 3xx 代码重定向回来,则将发送 cookie,因为您的服务器位于该链的顶部".
I don't think that this can be done for security reasons. SameSite=Strict means that if user has been redirected or just clicked on link to your site (from other host), cookie shouldn't be send. And redirecting is like 'chaining' requests. So if your server redirects to another and this server redirects back immediately with 3xx code, cookie will be sent, because your server is 'on top' of this chain.
但是,如果您重定向到 oauth 提供商并且用户必须允许您访问他的帐户,则意味着此链"已损坏,即使您的站点设置了 cookie,也将不再发送 cookie(已设置但未设置)发送).您的重定向只是点击的允许"链接的扩展".
However if you redirect to oauth provider and user has to allow there you to access his account it means that this 'chain' is broken, and cookie will no longer be sent even if your site sets it (it is set however not sent). Your redirect is just 'extension' of clicked 'allow' link.
如果您想防止其他人点击劫持您的网站,只要您认为必须防止这种行为,就在链接中使用 nonce,否则可能会很危险.但考虑到大多数提供商正在检查您是否以前定义了重定向 URL 并且您的应用允许.
If you want to prevent others from click-jacking your site, just use nonce in link if you think, that you have to prevent that kind of behavior, and it can be dangerous if you don't. But consider that most providers are checking for you if redirect url was previously defined and allowed by your app.
以下是其他解决方案(仅当您知道自己在做什么并且可以对自己承担 100% 的责任时才使用).
Here are other solutions (use only if you know what you're doing and can get on yourself 100% responsibility).
- 使用继续到站点"链接准备站点(当然点击链接后会发送 cookie)
- 使用 JavaScript 重新加载窗口
- 使用将重定向用户的 JavaScript 准备网站
- 结合第一种和第三种方法以获得更简洁的解决方案,并且在浏览器中无需 JavaScript 支持即可工作.
我在开发时使用了第二个,现在我使用的是同一个站点松懈(这是 Hapi 中的默认设置,最多可能是 15 版,所以还不错).
I have used second while developing, now I am using same site lax (this was default in Hapi up to maybe 15 ver, so it isn't so bad).
这篇关于如何在使用 SameSite=Strict 的 OAUTH2 之后重定向并仍然获取我的 cookie?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
