-
Notifications
You must be signed in to change notification settings - Fork 2
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Login flow should know about session cookie #146
Comments
I quite liked one-click login, and for our usecase, I think it would be acceptable to have Another solution is to make the sessions of client applications longer, but this will have to be done for every application individually. |
I think having an extra click doesn't do much harm (this is what most providers do). While you are correct that the possibility something bad can be done this way, I prefer to stay on the safe side here. Defense in depth and all. I have tried to come up with scenario's where someone would be able to do harm. The best I can currently come up with, is that you can log someone in to a certain application without interaction. E.g. suppose Tab has a XSS vulnerability where someone would be able to craft a transaction which would instruct your browser to send the contents of your wallet to the attacker (crazy example which could never happen cough).
|
Conclusion after an in-person discussion was to add the extra page. I'll try to do so this weekend. |
Due to the
SameSite=strict
modifier on the session cookie, zauth doesn't know that the user is logged in when the user is redirected from another site. The easy fix is to change the SameSite modifier to Lax. To be more secure, we should land the flow on a confirm page ("Are you sure you want to log in to Haldis?"). A yes click on this confirm page make the second request a samesite request, so zauth should pick up that the user is logged in at that point, so the user is not required to login again.The text was updated successfully, but these errors were encountered: