network.cookie.sameSite.laxByDefault=true breaks login in kanta.fi
Categories
(Core :: Networking: Cookies, defect)
Tracking
()
Tracking | Status | |
---|---|---|
firefox96 | --- | disabled |
People
(Reporter: smaug, Unassigned)
References
(Regression)
Details
(Keywords: regression)
network.cookie.sameSite.laxByDefault=true breaks login in kanta.fi and also in other public sites in Finland.
Updated•3 years ago
|
Updated•3 years ago
|
Reporter | ||
Comment 1•3 years ago
|
||
I think kanta.fi has been updated. It works now.
Reporter | ||
Comment 2•2 years ago
|
||
Looks like the site is broken again.
Reporter | ||
Comment 3•2 years ago
|
||
Or, hmm, I'm not sure. On this profile if I have lax enabled, there are issues, but on another FF profile it is fine.
Comment 4•2 years ago
|
||
Olli: are you still having problems with the site?
One issue that may affect your test is that cookies set prior to turning on "laxByDefault" are treated as "none by default" (we saved the current interpretation of "no attribute", not that the attribute was unset). If one profile was used to log in before you may have enough cookies that are treated as SameSite=None that it happens to work. I bet if you cleared cookies for that site (and whatever cross-site authentication domains it's using) then the two profiles would behave the same.
Unfortunately I can't test this myself since I don't have a valid authenticator for foreigners. Niklas might, although the site says that as of Jan 13 the German authenticator wasn't working. Have no idea if that's a temporary glitch or something that's going to go on a long time.
Country identifiers that should work include: Italy, Denmark, Estonia, Spain, Croatia, Czech Republic, Slovakia, and Portugal. Sadly not Sweden, which would have been handy because Valentin of the Necko team is based there.
What specific identification method do you use? Since cross-site cookies are the issue it's possible some of them do things better than others.
www.kanta.fi itself seems to use mostly "default" cookies (treated as "none" before, "lax" now). It's got a few explicit "strict" cookies, too.
The log-in button opens https://kansalainen.kanta.fi/, and Firefox doesn't send any cookies to it because all the www.kanta.fi cookies were just for www.kanta.fi -- they weren't ".kanta.fi" domain cookies. In any case, laxByDefault wouldn't be a problem since this is a navigation. The response does set some important-looking cookies ("OAuth_Token_Request_State") as samesite default (lax/none depending on pref).
The above load does a 302 to https://tunnistus.kela.fi/ which sets some more samesite default cookies. After a second or two this does a POST to https://tunnistautuminen.suomi.fi/idp/profile/SAML2/POST/SSO which redirects around the same site and ends up on https://tunnistautuminen.suomi.fi/sivut/discovery-page/?... -- all the while setting more default samesite cookies.
I checked a sampling of the individual indentification providers. A lot of them were using explicit SameSite=None cookies, but a couple appeared to use default and would get effective SameSite=Lax cookies with the new Settings. Which provider you specifically use would make a difference.
I can't actually complete the login, but it's possible that if the site then passes the token back to the original site via URL paramenter or through a POST that the lack of SameSite=None cookies on www.kanta.fi itself isn't the problem.
How does Chrome do on this? I assume it must work, but I don't see how unless the sites involved give different cookies to Chrome.
Updated•2 years ago
|
Comment 5•2 years ago
|
||
It looks like the cookies sent to Chrome by the various providers are the same type as those sent to Firefox (wrt SameSite attributes).
Reporter | ||
Comment 6•2 years ago
|
||
Right now I can login to kanta.fi using this profile which has
network.cookie.sameSite.laxByDefault = true
I use my bank account as the identification method.
I also tested another FF profile and it was fine.
I also tested removing any related cookies, setting the pref to false, login, logout, change the pref to true, and login again, and it was working.
Updated•2 years ago
|
Reporter | ||
Comment 7•11 months ago
|
||
I think the needinfo can be cleared here.
Description
•