Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Since 3.13.1 autologin in an iframe does not work anymore #15414

Closed
igugigu opened this issue Jan 17, 2020 · 16 comments
Closed

Since 3.13.1 autologin in an iframe does not work anymore #15414

igugigu opened this issue Jan 17, 2020 · 16 comments
Assignees
@tsteur
Labels
Regression Indicates a feature used to work in a certain way but it no longer does even though it should.
Milestone
3.13.2

Comments

@igugigu
Copy link

igugigu commented Jan 17, 2020

hy

I am showing Matomo inside an iFrame to my customers. Since I upgraded from 3.13.0 the auto login does not work anymore (HTTP 403).

If I copy the iframe url to a new tab the autologin works as expected.

Best regards

nik

In matomo.log I get:

ERROR API[2020-01-17 18:39:17 UTC] [57710] Uncaught exception in API: Piwik\NoAccessException: Ihre Sitzung ist aufgrund Inaktivität abgelaufen. Bitte melden Sie sich an um fortzufahren. in /srv/websites/tracker/piwik/core/Access.php:728
ERROR API[2020-01-17 18:39:17 UTC] [57710] Stack trace:
ERROR API[2020-01-17 18:39:17 UTC] [57710] #0 /srv/websites/tracker/piwik/core/Access.php(491): Piwik\Access->throwNoAccessException('Ihre Sitzung is...')
ERROR API[2020-01-17 18:39:17 UTC] [57710] #1 /srv/websites/tracker/piwik/core/Piwik.php(545): Piwik\Access->checkUserHasSomeViewAccess()
ERROR API[2020-01-17 18:39:17 UTC] [57710] #2 /srv/websites/tracker/piwik/plugins/LiveTab/API.php(23): Piwik\Piwik::checkUserHasSomeViewAccess()
ERROR API[2020-01-17 18:39:17 UTC] [57710] #3 [internal function]: Piwik\Plugins\LiveTab\API->getSettings()
ERROR API[2020-01-17 18:39:17 UTC] [57710] #4 /srv/websites/tracker/piwik/core/API/Proxy.php(237): call_user_func_array(Array, Array)
ERROR API[2020-01-17 18:39:17 UTC] [57710] #5 /srv/websites/tracker/piwik/core/Context.php(28): Piwik\API\Proxy->Piwik\API\{closure}()
ERROR API[2020-01-17 18:39:17 UTC] [57710] #6 /srv/websites/tracker/piwik/core/API/Proxy.php(328): Piwik\Context::executeWithQueryParameters(Array, Object(Closure))
ERROR API[2020-01-17 18:39:17 UTC] [57710] #7 /srv/websites/tracker/piwik/core/API/Request.php(265): Piwik\API\Proxy->call('\\Piwik\\Plugins\\...', 'getSettings', Array)
ERROR API[2020-01-17 18:39:17 UTC] [57710] #8 /srv/websites/tracker/piwik/plugins/API/Controller.php(41): Piwik\API\Request->process()
ERROR API[2020-01-17 18:39:17 UTC] [57710] #9 [internal function]: Piwik\Plugins\API\Controller->index()
ERROR API[2020-01-17 18:39:17 UTC] [57710] #10 /srv/websites/tracker/piwik/core/FrontController.php(589): call_user_func_array(Array, Array)
ERROR API[2020-01-17 18:39:17 UTC] [57710] #11 /srv/websites/tracker/piwik/core/FrontController.php(165): Piwik\FrontController->doDispatch('API', false, Array)
ERROR API[2020-01-17 18:39:17 UTC] [57710] #12 /srv/websites/tracker/piwik/core/dispatch.php(34): Piwik\FrontController->dispatch()
ERROR API[2020-01-17 18:39:17 UTC] [57710] #13 /srv/websites/tracker/piwik/index.php(27): require_once('/srv/websites/t...')
ERROR API[2020-01-17 18:39:17 UTC] [57710] #14 {main}
@dm577
Copy link

dm577 commented Jan 20, 2020

Has this been validated or a workaround/fix identified? I believe we would be impacted as well if iframes won't work with 3.13.1.

@tsteur
Copy link
Member

tsteur commented Jan 20, 2020

@igugigu does it work when you are testing it outside an iframe? Are you logging the user in using username/password or something else?

@tsteur
Copy link
Member

tsteur commented Jan 20, 2020

Also is the iframe http or https?

@mattab mattab added this to the 3.13.2 milestone Jan 21, 2020
@mattab mattab added the Waiting for user feedback Indicates the Matomo team is waiting for feedback from the author or other users. label Jan 21, 2020
@igugigu
Copy link
Author

igugigu commented Jan 21, 2020

@igugigu does it work when you are testing it outside an iframe?

yes: If I copy the iframe url to a new tab the autologin works as expected.

Are you logging the user in using username/password or something else?

Yes, I'am setting username and password in the url. the url looks like this:

https://MY_HOST/?module=Login&action=logme&login=THE_SITE_ID&password=THE_PASSWORD&url=https%3A%2F%2FMY_HOST%2Findex.php%3Fmodule%3DWidgetize%26action%3Diframe%26moduleToWidgetize%3DDashboard%26actionToWidgetize%3Dindex%26period%3Dmonth%26date%3Dyesterday%26idSite%3DTHE_SITE_ID

This worked until 3.31.1 and it works if I open the url without an iframe

Also is the iframe http or https?

https

My Setup:
https://customerdomain.tld/index.html is like:

<html>
<body>
<iframe src="https://matomo-host.tld/?module=Login&action=logme ...."/>
</body>

--> Might customerdomain.tld vs https://matomo-host.tld be a problem?

@mattab
Copy link
Member

mattab commented Jan 21, 2020

@igugigu What browser did you use, and do you see any browser console message?

@igugigu
Copy link
Author

igugigu commented Jan 22, 2020

The first request redirects, the second returns a 403

Respose Headers

Chrome 79:

cache-control: no-store, no-cache, must-revalidate
content-type: text/html; charset=UTF-8
date: Wed, 22 Jan 2020 01:26:27 GMT
expires: Thu, 19 Nov 1981 08:52:00 GMT
location: https://...../index.php?module=Widgetize&action=iframe&moduleToWidgetize=Dashboard&actionToWidgetize=index&period=month&date=yesterday&idSite=xxxx
pragma: no-cache
referrer-policy: origin
server: nginx/1.14.2
set-cookie: MATOMO_SESSID=31hrup1mfbu2cvai16p0poqmdi; path=/; secure; HttpOnly; SameSite=Lax
status: 302
strict-transport-security: max-age=15768000
x-content-type-options: nosniff
x-matomo-request-id: 3902e
x-robots-tag: noindex
x-xss-protection: 1; mode=block

There is a chrome warning in the js console:

A cookie associated with a cross-site resource at https://.../ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Then:

cache-control: no-store, must-revalidate
content-encoding: gzip
content-type: text/html; charset=utf-8
date: Wed, 22 Jan 2020 01:26:27 GMT
referrer-policy: same-origin
referrer-policy: origin
server: nginx/1.14.2
set-cookie: MATOMO_SESSID=vogrkv411jo8ugrhmj9i59oqkm; path=/; secure; HttpOnly
status: 403
strict-transport-security: max-age=15768000
x-content-type-options: nosniff
x-matomo-request-id: c060a
x-xss-protection: 1; mode=block

Firefox 74:

HTTP/2 302 Found
server: nginx/1.14.2
date: Wed, 22 Jan 2020 01:30:49 GMT
content-type: text/html; charset=UTF-8
location: https://.../index.php?module=Widgetize&action=iframe&moduleToWidgetize=Dashboard&actionToWidgetize=index&period=month&date=yesterday&idSite=xxxx
x-matomo-request-id: e54a7
expires: Thu, 19 Nov 1981 08:52:00 GMT
cache-control: no-store, no-cache, must-revalidate
pragma: no-cache
set-cookie: MATOMO_SESSID=b8dfahr709jabpvqfmr75jep4n; path=/; secure; HttpOnly; SameSite=Lax
x-robots-tag: noindex
strict-transport-security: max-age=15768000
referrer-policy: origin
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
X-Firefox-Spdy: h2

Then:

HTTP/2 403 Forbidden
server: nginx/1.14.2
date: Wed, 22 Jan 2020 01:30:49 GMT
content-type: text/html; charset=utf-8
x-matomo-request-id: 0583b
cache-control: no-store, must-revalidate
referrer-policy: same-origin
strict-transport-security: max-age=15768000
referrer-policy: origin
x-content-type-options: nosniff
x-xss-protection: 1; mode=block
content-encoding: gzip
X-Firefox-Spdy: h2

@igugigu
Copy link
Author

igugigu commented Jan 22, 2020

The cooke obtained from the first (login) request is not used because:
This Set-cookie had the "SameSite=Lax" attribute but came from a cross-origin respone

Probably releated: 109926d

@tsteur
Copy link
Member

tsteur commented Jan 22, 2020

@igugigu any chance you have some proxy/load balancing active in your Matomo environment that might be running on HTTP instead of HTTPS?

@igugigu
Copy link
Author

igugigu commented Jan 22, 2020

@tsteur No, no proxy, running php7.3 fastcgi under Nginx

@igugigu
Copy link
Author

igugigu commented Jan 22, 2020

@tsteur I found a workaround:

Changing 'Lax' to 'None' at
https://github.com/matomo-org/matomo/blob/3.x-dev/libs/Zend/Session.php#L344

Introduced: #15186

@tsteur
Copy link
Member

tsteur commented Jan 22, 2020

I understand thanks. It looks for session cookie we are currently using Lax.

Reading on https://medium.com/whatfix-techblog/a-major-concern-browser-cookie-enhancements-security-821a001b9da1 it does say it won't be sent in iframes. So I suppose if we are on HTTPS, we need to set None (and also make sure to use the Secure flag)?

Cookies with SameSite=None must also specify Secure, meaning they require a secure context.

I guess there isn't really a way for us to detect whether Matomo is displayed within an iframe and then change the session cookie information.

That would be eg https://github.com/matomo-org/matomo/blob/3.13.1/core/Session.php#L202 and also changing all the callers of that method. Nut sure if None has any downside? Of course we would only be able to use it if Matomo runs on HTTPS.

@tsteur
Copy link
Member

tsteur commented Jan 22, 2020

@Findus23 @mattab any thoughts?

@igugigu
Copy link
Author

igugigu commented Jan 22, 2020
edited

Maybe set it to None if enable_framed_pages=1

Thank you

@mattab mattab added Regression Indicates a feature used to work in a certain way but it no longer does even though it should. and removed Waiting for user feedback Indicates the Matomo team is waiting for feedback from the author or other users. labels Jan 22, 2020
@Findus23
Copy link
Member

In a way this is intended as the whole point of SameSite is that cookies are only sent on the same site. And as browsers (or at least Chrome) are forcing everyone to use it (#14395) I don't really see a way around it.

Nut sure if None has any downside?

It is for example broken in a lot of Safari versions.

@dm577
Copy link

dm577 commented Jan 22, 2020

From what I read, it seems that the SameSite=None; Secure setting would be the correct choice for the session cookie in this case vs Lax. The bug in Safari was fixed although it's still present in older versions:

https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
https://adzerk.com/blog/chrome-samesite/

@tsteur tsteur mentioned this issue Jan 23, 2020
Merged
@tsteur tsteur self-assigned this Jan 23, 2020
@mattab
Copy link
Member

mattab commented Jan 30, 2020

It seems fixed as the PR is merged, so closing 👍

@mattab mattab closed this as completed Jan 30, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsteur tsteur

Labels
Regression Indicates a feature used to work in a certain way but it no longer does even though it should.
Projects
None yet
Milestone
3.13.2
Development

No branches or pull requests
5 participants
@tsteur @mattab @Findus23 @igugigu @dm577