Skip to content

set Secure cookie flags only on HTTPS requests #19309

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
ydiarra wants to merge 4 commits into
base: develop
Choose a base branch
from
Open

set Secure cookie flags only on HTTPS requests #19309

ydiarra wants to merge 4 commits into from
+79 −8

Conversation

@ydiarra
Copy link

@ydiarra ydiarra commented Dec 16, 2025
edited
Loading

Previously, OIDC session cookies always included Secure flags, causing authentication to fail in local development over HTTP.

This change conditionally adds these security flags only when the request is made over a secure connection, enabling local HTTP development while maintaining security in production.

Pull Request Checklist

  • Pull request is based on the develop branch
  • Pull request includes a changelog file. The entry should:
    • Be a short description of your change which makes sense to users. "Fixed a bug that prevented receiving messages from other servers." instead of "Moved X method from EventStore to EventWorkerStore.".
    • Use markdown where necessary, mostly for code blocks.
    • End with either a period (.) or an exclamation mark (!).
    • Start with a capital letter.
    • Feel free to credit yourself, by adding a sentence "Contributed by @github_username." or "Contributed by [Your Name]." to the end of the entry.
  • Code style is correct (run the linters)

yannisdia added 3 commits December 15, 2025 18:19
set HttpOnly and Secure cookie flags only on HTTPS requests
fe809c0 
Previously, OIDC session cookies always included HttpOnly and Secure
flags, causing authentication to fail in local development over HTTP.

This change conditionally adds these security flags only when the
request is made over a secure connection, enabling local HTTP
development while maintaining security in production.
Update OIDC tests to include isSecure mock for request objects
4c76506 
This change modifies several test cases in `test_oidc.py` to include the `isSecure` attribute in the mocked request objects. This ensures that the tests accurately simulate secure requests, which is essential for validating the behavior of OIDC session cookies under secure conditions.
Add tests for OIDC session cookie security flags based on request sec…
afda710 
…urity

This update introduces two new test cases in `test_oidc.py` to verify that OIDC session cookies are set with the appropriate HttpOnly and Secure flags depending on whether the request is secure or not. The tests ensure that cookies are configured correctly for both secure and non-secure requests, enhancing the validation of cookie security in the OIDC flow.
@CLAassistant
Copy link

CLAassistant commented Dec 16, 2025

CLA assistant check
Thank you for your submission! We really appreciate it. Like many open source projects, we ask that you sign our Contributor License Agreement before we can accept your contribution.

yannisdia seems not to be a GitHub user. You need a GitHub account to be able to sign the CLA. If you have already a GitHub account, please add the email address used for this commit to your account.
You have signed the CLA already but the status is still pending? Let us recheck it.

@ydiarra ydiarra marked this pull request as ready for review December 16, 2025 09:38
@ydiarra ydiarra requested a review from a team as a code owner December 16, 2025 09:38
@moufmouf
Copy link

moufmouf commented Dec 17, 2025

This closes #19303

moufmouf added a commit to workadventure/workadventure that referenced this pull request Dec 17, 2025
@moufmouf
Rolling back dev version of Synapse to v1.141.0
83fb64c 
v1.141.0 introduces a breaking change in OIDC authentication in http with Webkit

See issue: element-hq/synapse#19303
See PR: element-hq/synapse#19309
@moufmouf moufmouf mentioned this pull request Dec 17, 2025
Merged
moufmouf added a commit to workadventure/workadventure that referenced this pull request Dec 17, 2025
@moufmouf
Rolling back dev version of Synapse to v1.141.0
cea5069 
v1.141.0 introduces a breaking change in OIDC authentication in http with Webkit

See issue: element-hq/synapse#19303
See PR: element-hq/synapse#19309
MadLittleMods
MadLittleMods reviewed Dec 23, 2025
View reviewed changes
synapse/handlers/oidc.py
# Here we have the names of the cookies, and the options we use to set them.
_SESSION_COOKIES = [
(b"oidc_session", b"HttpOnly; Secure; SameSite=None"),
(b"oidc_session_no_samesite", b"HttpOnly; Secure"),
Copy link
Contributor

@MadLittleMods MadLittleMods Dec 23, 2025
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

What browser are you experiencing this in? What version?

According to the MDN docs, this should work as-is:

Secure

Indicates that the cookie is sent to the server only when a request is made with the https: scheme (except on localhost)

-- https://developer.mozilla.org/en-US/docs/Web/HTTP/Reference/Headers/Set-Cookie#secure

And https://stackoverflow.com/questions/62307431/firefox-sends-secure-cookies-to-localhost/62717136#62717136 has a couple links to the browser issue trackers that also explain that this should work:

Additional point of reference:

HTTPS used to be necessary to locally set a cookie that is Secure, or SameSite:none, or has the __Host prefix. It is no longer the case.

-- https://web.dev/articles/when-to-use-local-https

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@MadLittleMods MadLittleMods MadLittleMods left review comments

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@ydiarra @CLAassistant @moufmouf @MadLittleMods