Skip to content

adding sameSite cookie attr support to samples#166

Merged
SomkaPe merged 3 commits intodevfrom
pesomka/samesite
Jan 27, 2020
Merged

adding sameSite cookie attr support to samples#166
SomkaPe merged 3 commits intodevfrom
pesomka/samesite

Conversation

@SomkaPe
Copy link
Copy Markdown
Contributor

@SomkaPe SomkaPe commented Jan 18, 2020

samples updated to support "SameSite" attribute of session cookies:

  • setting "secure" and "SameSite=None" attributes for session cookies
  • using https with local host

sangonzal
sangonzal reviewed Jan 21, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@sangonzal sangonzal left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

These changes should also be made in AzureSamples samples and to the portal quickstart. Also a wiki page explaining these changes which all the samples can point to would be useful.

src/samples/msal-web-sample/src/main/resources/application.properties
aad.redirectUri=https://localhost:8081/msal4jsample/secure/aad
aad.oboApi=<OboAi>/access_as_user

server.servlet.session.cookie.secure=true
Copy link
Copy Markdown
Contributor

@sangonzal sangonzal Jan 21, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Is secure cookie necessary as part of the SameSite changes?

I realize that this is a necessary practice in a production app, but it had been omitted in this samples previously because it further complicates getting the sample running. For the Azure Samples and the portal quickstart, these changes will have to be explained, including instructions on how to set this up. IMO a section in the README and in a comment in the code could be sufficient.

Copy link
Copy Markdown
Contributor Author

@SomkaPe SomkaPe Jan 25, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

In new versions of Chrome cookies with same site none will not be included in cs request if they not secure

@navyasric
Copy link
Copy Markdown
Contributor

navyasric commented Jan 21, 2020
edited
Loading

These changes should also be made in AzureSamples samples and to the portal quickstart. Also a wiki page explaining these changes which all the samples can point to would be useful.

@SomkaPe Adding to @sangonzal comment: Please prioritize adding these changes to the Azure Samples here:
https://github.com/Azure-Samples/ms-identity-java-webapp
https://github.com/Azure-Samples/ms-identity-java-webapi
Java B2C sample: https://github.com/AzureAD/microsoft-authentication-library-for-java/tree/dev/src/samples/msal-b2c-web-sample

These are the customer facing samples we promote through docs etc.
I will provide the Wiki page for these changes today.

@SomkaPe
Copy link
Copy Markdown
Contributor Author

SomkaPe commented Jan 25, 2020

@navyasric Corresponding PR were submitted, please review

henrik-me
henrik-me reviewed Jan 25, 2020
View reviewed changes
src/main/java/com/microsoft/aad/msal4j/DefaultHttpClient.java
if (responseCode != HttpURLConnection.HTTP_OK) {
is = conn.getErrorStream();
if (is != null) {
httpResponse.headers(conn.getHeaderFields());
Copy link
Copy Markdown
Contributor

@henrik-me henrik-me Jan 25, 2020
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

ields()); [](start = 56, length = 9)

was this a bug? Seems like there is a test missing?

Copy link
Copy Markdown
Contributor Author

@SomkaPe SomkaPe Jan 26, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

yes, bug - headers were not returned in case of error, missed test class during commit , will add

henrik-me
henrik-me reviewed Jan 25, 2020
View reviewed changes
src/samples/msal-web-sample/src/main/java/com/microsoft/azure/msalwebsample/CookieHelper.java
@@ -0,0 +1,95 @@
// Copyright (c) Microsoft Corporation. All rights reserved.
Copy link
Copy Markdown
Contributor

@henrik-me henrik-me Jan 25, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

why is this not shared code across samples?

Copy link
Copy Markdown
Contributor Author

@SomkaPe SomkaPe Jan 26, 2020

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

technically all samples are different projects,

henrik-me
henrik-me approved these changes Jan 25, 2020
View reviewed changes
Copy link
Copy Markdown
Contributor

@henrik-me henrik-me left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

pls. see my comments

@SomkaPe SomkaPe merged commit d966982 into dev Jan 27, 2020
@siddhijain siddhijain deleted the pesomka/samesite branch January 19, 2022 18:27
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@henrik-me henrik-me henrik-me approved these changes

@navyasric navyasric Awaiting requested review from navyasric

+1 more reviewer

@sangonzal sangonzal sangonzal approved these changes

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@SomkaPe @navyasric @henrik-me @sangonzal