Going on 5 years ago, I had to do some integrations with SimpleSAMLPhp for a client. Now, in a Day Job, one of my colleagues is trying to get an integration working, and I’m amused that they find that my post is top hit when they google the error.
Anywho… what I wrote in my post wasn’t working, so I had to dig a little deeper.
Logins were working, but not from Chrome.
After digging into it a little, I found that
SameSite headers were being set on the cookie, but no
This is Not Good, and so a lot of the more security focussed browsers will ignore these headers. You can even see this if you look at your developer tools.
Ok, so set the
secure flag in your app, and job done, right?
Well. Normally, yes. But the added complexity comes from how our estate is currently configured – containers sat behind a load balancing gateway. This gateway, running
haproxy, performs SSL offloading (yes, I know, NSA Smiley, but this is just temporary).
Once I figured out what was going on, the fix is quite simple. Namely, rewrite any cookies coming from the backend containers to include the
This is fine, since none of our services are available over vanilla HTTP.
Adding the following:
rspirep ^(set-cookie:.*) \1;\ Secure
Did the trick after a restart.
Of course, previous tips still apply, you’re going to want to clear your caches etc so that the old cookie isn’t preserved, etc.
Hope this helps!