Ck_login_id + others Samesite attribue missing

westofsa · 7 March 2024 15:38

When logging into SuiteCRM, a number of post login cookies are set, typically starting ck_login, such as ID, theme, language and others.

None of these are being set with a Secure or SameSite attribute, which based on browser warnings will by default be treated as lax and will impact cross site logins.
These cookies appear to be set through /include/MVC/SugarApplication.php.

Does someone know how to update this to correctly set a samesite attribute like Secure, Samesite=None ?
Message from Browser:
Cookie “ck_login_id_20” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”

chris001 · 8 March 2024 05:55

Try this.

github.com/salesagility/SuiteCRM

Fix #10249 cookies do not set `samesite` attribute required by current browsers

salesagility:hotfix ← chris001:patch-38

opened 05:53AM - 08 Mar 24 UTC

chris001

+14 -2

Fix #10249 and https://github.com/salesagility/SuiteCRM-Core/issues/447 * Add…s `samesite` default parameter to `SugarApplication::setCookie()`. Required [in modern web applications and current browsers](https://developers.google.com/search/blog/2020/01/get-ready-for-new-samesitenone-secure). * Adds default value setting for cookie `samesite`, in `php.ini` `session.cookie_samesite`, to make this upgrade safe.  ## Description Adds parameter `samesite` to the function `SugarApplication::setCookie()`. Default value is set to `Strict`. Default value can be changed in `php.ini` `session.cookie_samesite`, to make this setting be upgrade safe. Some users who embed Suite in an iFrame with other applications on the same browser tab (call center) must use `None` for the application to load. ## Motivation and Context Browsers now require `samesite` attribute on cookies, or else they'll be set to a default value `Lax` which allows a degree of third party access to the application's user login cookies. Setting this to `Strict` by default, allows only the application domain to access application cookies, some of which are sensitive, such as user login cookies. ## How To Test This Before this change. Browse in the application in Chrome and Firefox. You'll see console warnings about soon ending support for cookies that do no have the attribute `samesite`. Checking with an extension "Cookies and Headers Analyzer" should show many cookies used by the application which have "secure" set to "false", and "samesite" unset. After the change. Those browser console warnings should be cleared. Cookies used by the application should be all "secure" set to "true" and "samesite" set to "Strict". NOTE: for those running Suite on Apache in `http` mode behind a TLS proxy, this should continue to work, because the attribute "secure" is only set to "true" when the function `isSSL()` returns true, which should be when the Suite Apache server is set to secure (SSL or TLS) mode, running on `https` port 443. NOTE 2: There may be scenarios where setting cookie attribute "samesite" to "Strict" may break third party code, however, there must be other ways of passing information rather than allowing a third party application to have access to the application's user login cookies and have the ability to hijack user sessions and obtain sensitive organization data. ## Types of changes - [x] Bug fix (non-breaking change which fixes an issue) - [ ] New feature (non-breaking change which adds functionality) - [ ] Breaking change (fix or feature that would cause existing functionality to change) ### Final checklist - [x] My code follows the code style of this project found [here](https://docs.suitecrm.com/community/contributing-code/coding-standards/). - [x] My change requires a change to the documentation. - [x] I have read the [**How to Contribute**](https://docs.suitecrm.com/community/contributing-code/) guidelines.

Report back whether this solved your issue…

westofsa · 8 March 2024 18:57

Hi @chris001

Copied the new file and replaced the one on my server. After putting in place, the page breaks when you try and login.
I did a little digging and found some references as to the format.
In your code you had [“expire” => $expire, but I believe (at least looking at another example, it looks like “expires” must have the the “s”.
I don’t know how much it matters, but there were also some context that had => $xx, and others that we =>$xx without a space, and using double vs single quotes… as I said really don’t know how much that matters or if it was just the missing “s”.
This is what I change line 816 to and after that the user was able to login again.
As I am using an iframe I changed Strict to None once I had things working in first party

           setcookie($name, $value, ['expires' => $expire, 'path' => $path, 'domain' => $domain,
                                      'secure' => $secure, 'httponly' => $httponly, 'samesite' => $samesite]);

I did notice that in the code at around 806 there were some “If” statements that would pull the value that had been set in the PHP.ini file session.cookie_path in order to set the $path value.
Could the same be done for some of the other cookie values, so that if you set the php.ini to samesite None, it will be picked up and applied here as well so that making the change will be persistent across future upgrades and can be configured from one place. If it is using some of the settings, why not use more of them.
My webserver CSP rules block iframe requests if it does not match what has been allowed and I believe SuiteCRM does the same in its config. If the cookie value hasn’t been set in the php.ini then default to either lax or strict.

Thanks for your help in getting this one solved for me…

chris001 · 8 March 2024 21:29

Fix updated. Uses setting in php.ini file, session.cookie_samesite.

westofsa · 8 March 2024 21:59

Hi @chris001
Thanks, at first the change didn’t work… there was a slight type.

Line 821, need change $path to $samesite. After I changed that and connected the cookie was correctly set.

       $defaultCookieSameSite = ini_get('session.cookie_samesite');
         if ($samesite === null) {
             if(empty($defaultCookieSameSite)) {
                 $samesite = 'Strict';
             } else {
                 $samesite = $defaultCookieSameSite;
             }

Thanks for all the help with this.

chris001 · 9 March 2024 16:40

Typo fixed. PR updated. Thanks.

DJuser · 10 March 2024 14:44

Ck_login_id + other cookies - showing the wrong domain - eg 127.0.0.1 - when using a reverse proxy

This is totally seperate problem - but as it applies to the same cookies: I’ll mention it here.
Eg when using nginx as reverse proxy (may also apply to Apache as reverse proxy - I don’t have evidence either way)

The root cause is that nginx needs to pass on the ‘Host’ value - because those cookies need that value when being set.

Solution:
This line is needed:

proxy_set_header Host $host;

In the config block : eg

location /some/path/ {
    proxy_set_header Host $host;
    proxy_set_header X-Real-IP $remote_addr;
    proxy_pass http://localhost:8000;
}

If anyone