Opened 6 years ago
Last modified 6 years ago
#30250 closed Bug
Due to iOS Safari 12 issue, SameSite flag on session and CSRF cookies should NOT be Lax by default — at Version 2
Reported by: | Flávio Juvenal | Owned by: | nobody |
---|---|---|---|
Component: | Core (Other) | Version: | 2.1 |
Severity: | Normal | Keywords: | samesite, csrf, session, cookies |
Cc: | Maciej Olko | Triage Stage: | Someday/Maybe |
Has patch: | no | Needs documentation: | no |
Needs tests: | no | Patch needs improvement: | no |
Easy pickings: | no | UI/UX: | no |
Description (last modified by )
There's a iOS Safari 12 issue that prevents common flows (sequences of requests) to work properly if there's SameSite=lax
on cookies. This issue was confirmed by Daniel Bates, from Apple and it's still open.
Examples of broken flows:
- OpenIdConnect: https://community.auth0.com/t/authentication-broken-on-asp-net-core-and-safari-on-ios-12-mojave-take-2/19104
- Shopify app OAuth flow: https://www.calazan.com/django-21-samesite-cookie-issue-with-safari-12/
- Clicking a link on an email: https://bugs.webkit.org/show_bug.cgi?id=188165#c40
- SAML flow: https://github.com/IronCountySchoolDistrict/django-python3-saml/issues/1
Since Safari 12 is the current stable version and it's widely deployed on iOS devices, I believe the Django default for CSRF_COOKIE_SAMESITE
and SESSION_COOKIE_SAMESITE
should be None
, not Lax
. That's the most general solution and it's the one recommended by Microsoft to fix the similar issue on ASP.NET.
Core developers, could you please let me know if you agree with that change, so I can make a PR updating the defaults and the documentation?
I think both CSRF and Session cookies shouldn't have the SameSite flag because I've found many 403 Forbidden issues on both on Safari 12. If more steps to reproduce beyond the links above are necessary, please let me know.
Change History (2)
comment:1 by , 6 years ago
Description: | modified (diff) |
---|
comment:2 by , 6 years ago
Description: | modified (diff) |
---|