New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Since 3.13.1 autologin in an iframe does not work anymore #15414
Comments
Has this been validated or a workaround/fix identified? I believe we would be impacted as well if iframes won't work with 3.13.1. |
@igugigu does it work when you are testing it outside an iframe? Are you logging the user in using username/password or something else? |
Also is the iframe http or https? |
yes: If I copy the iframe url to a new tab the autologin works as expected.
Yes, I'am setting username and password in the url. the url looks like this:
This worked until 3.31.1 and it works if I open the url without an iframe
https My Setup:
--> Might customerdomain.tld vs https://matomo-host.tld be a problem? |
@igugigu What browser did you use, and do you see any browser console message? |
The first request redirects, the second returns a 403 Respose Headers Chrome 79:
There is a chrome warning in the js console:
Then:
Firefox 74:
Then:
|
The cooke obtained from the first (login) request is not used because: Probably releated: 109926d |
@igugigu any chance you have some proxy/load balancing active in your Matomo environment that might be running on HTTP instead of HTTPS? |
@tsteur No, no proxy, running php7.3 fastcgi under Nginx |
@tsteur I found a workaround: Changing 'Lax' to 'None' at Introduced: #15186 |
I understand thanks. It looks for session cookie we are currently using Reading on https://medium.com/whatfix-techblog/a-major-concern-browser-cookie-enhancements-security-821a001b9da1 it does say it won't be sent in iframes. So I suppose if we are on HTTPS, we need to set
I guess there isn't really a way for us to detect whether Matomo is displayed within an iframe and then change the session cookie information. That would be eg https://github.com/matomo-org/matomo/blob/3.13.1/core/Session.php#L202 and also changing all the callers of that method. Nut sure if |
Maybe set it to None if Thank you |
In a way this is intended as the whole point of
It is for example broken in a lot of Safari versions. |
From what I read, it seems that the SameSite=None; Secure setting would be the correct choice for the session cookie in this case vs Lax. The bug in Safari was fixed although it's still present in older versions: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html |
It seems fixed as the PR is merged, so closing 👍 |
hy
I am showing Matomo inside an iFrame to my customers. Since I upgraded from 3.13.0 the auto login does not work anymore (HTTP 403).
If I copy the iframe url to a new tab the autologin works as expected.
Best regards
nik
In matomo.log I get:
The text was updated successfully, but these errors were encountered: