@igugigu opened this Issue on January 17th 2020

hy

I am showing Matomo inside an iFrame to my customers. Since I upgraded from 3.13.0 the auto login does not work anymore (HTTP 403).

If I copy the iframe url to a new tab the autologin works as expected.

Best regards

nik

In matomo.log I get:

ERROR API[2020-01-17 18:39:17 UTC] [57710] Uncaught exception in API: Piwik\NoAccessException: Ihre Sitzung ist aufgrund Inaktivit├Ąt abgelaufen. Bitte melden Sie sich an um fortzufahren. in /srv/websites/tracker/piwik/core/Access.php:728
ERROR API[2020-01-17 18:39:17 UTC] [57710] Stack trace:
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/0'>#0</a> /srv/websites/tracker/piwik/core/Access.php(491): Piwik\Access->throwNoAccessException('Ihre Sitzung is...')
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/1'>#1</a> /srv/websites/tracker/piwik/core/Piwik.php(545): Piwik\Access->checkUserHasSomeViewAccess()
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/2'>#2</a> /srv/websites/tracker/piwik/plugins/LiveTab/API.php(23): Piwik\Piwik::checkUserHasSomeViewAccess()
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/3'>#3</a> [internal function]: Piwik\Plugins\LiveTab\API->getSettings()
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/4'>#4</a> /srv/websites/tracker/piwik/core/API/Proxy.php(237): call_user_func_array(Array, Array)
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/5'>#5</a> /srv/websites/tracker/piwik/core/Context.php(28): Piwik\API\Proxy->Piwik\API\{closure}()
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/6'>#6</a> /srv/websites/tracker/piwik/core/API/Proxy.php(328): Piwik\Context::executeWithQueryParameters(Array, Object(Closure))
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/7'>#7</a> /srv/websites/tracker/piwik/core/API/Request.php(265): Piwik\API\Proxy->call('\\Piwik\\Plugins\\...', 'getSettings', Array)
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/8'>#8</a> /srv/websites/tracker/piwik/plugins/API/Controller.php(41): Piwik\API\Request->process()
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/9'>#9</a> [internal function]: Piwik\Plugins\API\Controller->index()
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/10'>#10</a> /srv/websites/tracker/piwik/core/FrontController.php(589): call_user_func_array(Array, Array)
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/11'>#11</a> /srv/websites/tracker/piwik/core/FrontController.php(165): Piwik\FrontController->doDispatch('API', false, Array)
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/12'>#12</a> /srv/websites/tracker/piwik/core/dispatch.php(34): Piwik\FrontController->dispatch()
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/13'>#13</a> /srv/websites/tracker/piwik/index.php(27): require_once('/srv/websites/t...')
ERROR API[2020-01-17 18:39:17 UTC] [57710] <a href='/14'>#14</a> {main}
@dm577 commented on January 20th 2020

Has this been validated or a workaround/fix identified? I believe we would be impacted as well if iframes won't work with 3.13.1.

@tsteur commented on January 20th 2020 Member

@igugigu does it work when you are testing it outside an iframe? Are you logging the user in using username/password or something else?

@tsteur commented on January 20th 2020 Member

Also is the iframe http or https?

@igugigu commented on January 21st 2020

@igugigu does it work when you are testing it outside an iframe?

yes: If I copy the iframe url to a new tab the autologin works as expected.

Are you logging the user in using username/password or something else?

Yes, I'am setting username and password in the url. the url looks like this:

https://MY_HOST/?module=Login&action=logme&login=THE_SITE_ID&password=THE_PASSWORD&url=https%3A%2F%2FMY_HOST%2Findex.php%3Fmodule%3DWidgetize%26action%3Diframe%26moduleToWidgetize%3DDashboard%26actionToWidgetize%3Dindex%26period%3Dmonth%26date%3Dyesterday%26idSite%3DTHE_SITE_ID

This worked until 3.31.1 and it works if I open the url without an iframe

Also is the iframe http or https?

https

My Setup:
https://**customerdomain.tld**/index.html is like:

<html>
<body>
<iframe src="https://matomo-host.tld/?module=Login&action=logme ...."/>
</body>

--> Might customerdomain.tld vs https://matomo-host.tld be a problem?

@mattab commented on January 21st 2020 Member

@igugigu What browser did you use, and do you see any browser console message?

@igugigu commented on January 22nd 2020

The first request redirects, the second returns a 403

Respose Headers

Chrome 79:

cache-control: no-store, no-cache, must-revalidate
content-type: text/html; charset=UTF-8
date: Wed, 22 Jan 2020 01:26:27 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
location: https://...../index.php?module=Widgetize&action=iframe&moduleToWidgetize=Dashboard&actionToWidgetize=index&period=month&date=yesterday&idSite=xxxx
pragma: no-cache
referrer-policy: origin
server: nginx/1.14.2
set-cookie: MATOMO_SESSID=31hrup1mfbu2cvai16p0poqmdi; path=/; secure; HttpOnly; SameSite=Lax
status: 302
strict-transport-security: max-age=15768000
x-content-type-options: nosniff
x-matomo-request-id: 3902e
x-robots-tag: noindex
x-xss-protection: 1; mode=block

There is a chrome warning in the js console:

A cookie associated with a cross-site resource at https://.../ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Then:

cache-control: no-store, must-revalidate
content-encoding: gzip
content-type: text/html; charset=utf-8
date: Wed, 22 Jan 2020 01:26:27 GMT
referrer-policy: same-origin
referrer-policy: origin
server: nginx/1.14.2
set-cookie: MATOMO_SESSID=vogrkv411jo8ugrhmj9i59oqkm; path=/; secure; HttpOnly
status: 403
strict-transport-security: max-age=15768000
x-content-type-options: nosniff
x-matomo-request-id: c060a
x-xss-protection: 1; mode=block

Firefox 74:

HTTP/2 302 Found
server: nginx/1.14.2
date: Wed, 22 Jan 2020 01:30:49 GMT
content-type: text/html; charset=UTF-8
location: https://.../index.php?module=Widgetize&action=iframe&moduleToWidgetize=Dashboard&actionToWidgetize=index&period=month&date=yesterday&idSite=xxxx
x-matomo-request-id: e54a7
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: MATOMO_SESSID=b8dfahr709jabpvqfmr75jep4n; path=/; secure; HttpOnly; SameSite=Lax
x-robots-tag: noindex
strict-transport-security: max-age=15768000
referrer-policy: origin
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
X-Firefox-Spdy: h2

Then:

HTTP/2 403 Forbidden
server: nginx/1.14.2
date: Wed, 22 Jan 2020 01:30:49 GMT
content-type: text/html; charset=utf-8
x-matomo-request-id: 0583b
cache-control: no-store, must-revalidate
referrer-policy: same-origin
strict-transport-security: max-age=15768000
referrer-policy: origin
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-encoding: gzip
X-Firefox-Spdy: h2
@igugigu commented on January 22nd 2020

The cooke obtained from the first (login) request is not used because:
This Set-cookie had the "SameSite=Lax" attribute but came from a cross-origin respone

Probably releated: https://github.com/matomo-org/matomo/commit/109926dd5a65244406bede12b897d59a23803d96

@tsteur commented on January 22nd 2020 Member

@igugigu any chance you have some proxy/load balancing active in your Matomo environment that might be running on HTTP instead of HTTPS?

@igugigu commented on January 22nd 2020

@tsteur No, no proxy, running php7.3 fastcgi under Nginx

@igugigu commented on January 22nd 2020
@tsteur commented on January 22nd 2020 Member

I understand thanks. It looks for session cookie we are currently using Lax.

Reading on https://medium.com/whatfix-techblog/a-major-concern-browser-cookie-enhancements-security-821a001b9da1 it does say it won't be sent in iframes. So I suppose if we are on HTTPS, we need to set None (and also make sure to use the Secure flag)?

Cookies with SameSite=None must also specify Secure, meaning they require a secure context.

I guess there isn't really a way for us to detect whether Matomo is displayed within an iframe and then change the session cookie information.

That would be eg https://github.com/matomo-org/matomo/blob/3.13.1/core/Session.php#L202 and also changing all the callers of that method. Nut sure if None has any downside? Of course we would only be able to use it if Matomo runs on HTTPS.

@tsteur commented on January 22nd 2020 Member

@Findus23 @mattab any thoughts?

@igugigu commented on January 22nd 2020

Maybe set it to None if enable_framed_pages=1

Thank you

@Findus23 commented on January 22nd 2020 Member

In a way this is intended as the whole point of SameSite is that cookies are only sent on the same site. And as browsers (or at least Chrome) are forcing everyone to use it (#14395) I don't really see a way around it.

Nut sure if None has any downside?

It is for example broken in a lot of Safari versions.

@dm577 commented on January 22nd 2020

From what I read, it seems that the SameSite=None; Secure setting would be the correct choice for the session cookie in this case vs Lax. The bug in Safari was fixed although it's still present in older versions:

https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
https://adzerk.com/blog/chrome-samesite/

@mattab commented on January 30th 2020 Member

It seems fixed as the PR is merged, so closing :+1:

This Issue was closed on January 30th 2020
Powered by GitHub Issue Mirror