Partial fix Problems with Google Authentication Not Working

[robdog]

Affected version

2.2.8

For some reason, Google Authentication through Chrome is broken. I have a number of users who cannot log in through Chrome on desktop or Chromebooks. I am not able to log into XenForo through Chrome as well with my connected account. When I try to authenticate, it will simply send me right back to the auth screen.

Chrome Version: 97.0.4692.71 (Official Build) (x86_64)

 

[robdog]

One thing to note is that when I auth through Chrome, the session cookie value does not match a session in the DB. For FireFix and Safari, it works fine, there is a matching session in the DB.

 

[robdog]

Anyone else able to use Google authentication right now on any 2.2.x version??

 

[Mendalla]

Just signed in here with it but I'm on Edge Chromium, not Chrome itself. Won't be able to test on Chrome until later.

EDIT: Worked on my site as well.

 

[robdog]

Just signed in here with it but I'm on Edge Chromium, not Chrome itself. Won't be able to test on Chrome until later.

EDIT: Worked on my site as well.

Thanks for checking. I will check Edge Chromium, but let me know if you are able to log in with regular Chrome. Also, this does work fine on FireFox and Safari, but fails in Chrome.

 

[Mendalla]

Yep, when I try to login either here or my site with Chrome (version 97.0.4692.71 per Help - About) using Google it just takes me back to the guest view. Interesting. Also forced me to reset my password here so I could log in to respond. I've been logging in with Google here normally so forgot my site password.

 

[robdog]

Yep, when I try to login either here or my site with Chrome (version 97.0.4692.71 per Help - About) using Google it just takes me back to the guest view. Interesting. Also forced me to reset my password here so I could log in to respond. I've been logging in with Google here normally so forgot my site password.

Okay, phew. Bad that the bug exists, but glad I am not crazy, lol.

 

[robdog]

@Chris D, I hate to tag you, but wanted to see if you had any thoughts on this.

 

[robdog]

@Chris D, okay I figured out the issue.

The issue stems from leaving the cookie value SameSite empty. If the SameSite value is empty it is going to default to 'Lax'. You can read all about it here: https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite

Because this is getting set to 'Lax', it's causing the problem that I am describing above. The work around is to force it to a value of 'None'. Inserting random StackOver link: https://stackoverflow.com/questions...tting-from-office-365-oauth-callback/70661197

So where did I hax... I mean fix it(lol).

/public/src/XF/Http/Response.php in the setCookie function on line 330. I added this code to that function:

        // @HACK: This is to fix a cookie issue with Chrome 97+. The SameSite flag
        // is defaulting to 'Lax', which is causing a problem with cookies being
        // set properly. Since this is modifying a core file, it will need to fixed
        // each release until this is brought into core.
        if (\XF::config()['production']) {
            $sameSite = 'None';
        }

I had to add this "production" check because setting the SameSite to 'None' requires a secure environment, and my development environment is not secure. I have this hacked in, but this would be great if we could get it into core some how. This is only affect Chrome 97+, but I have a feeling that will continue to grow as more people upgrade their browsers.

 

[mattrogowski]

There does seem to be an issue with connected accounts in general, seemingly after a recent Chrome update. I can't use Twitter to log in in Chrome but can in Firefox. We had a support ticket for our connected account provider addon (which only adds new providers) but it seems to affect core XF.

Ticket we had mentioned changes to headers:

Firefox and old Chrome: [HTTP_SEC_FETCH_SITE] => same-origin [HTTP_SEC_FETCH_MODE] => same-origin [HTTP_SEC_FETCH_DEST] => empty
New Chrome: [HTTP_SEC_FETCH_DEST] => empty [HTTP_SEC_FETCH_MODE] => navigate [HTTP_SEC_FETCH_SITE] => cross-site

I had a similar issue on an unrelated Laravel project recently so it seems something in Chrome has changed here.

 

[Anomandaris]

Can confirm, we have been debugging this problem on my site for the past 9 days. We just discovered this new Chrome 97 issue and were able to confirm it's the cause of our problem.

They've done the same thing with Firefox 96:


This was a really annoying bug to track down.

We force users to pay using Paypal during registration and when paypal redirects them back to the main site to complete registration, the cookie is not being set because Chrome 97 is blocking the cookie as a CSRF attack.

 

[ingo.schramme]

Hi!
we've got the same problem with the brave browser which updated to the chrome 97. engine for their last update.

We have observed the same as mattrogowski:

Firefox and old Chrome:
[HTTP_SEC_FETCH_SITE] => same-origin
[HTTP_SEC_FETCH_MODE] => same-origin
[HTTP_SEC_FETCH_DEST] => empty

new version:

[HTTP_SEC_FETCH_DEST] => empty
[HTTP_SEC_FETCH_MODE] => navigate
[HTTP_SEC_FETCH_SITE] => cross-site

Chrome seems to set a new default if the value is empty from the server.

Regards, Ingo

 

[Mendalla]

Okay, now Edge seems to be doing it, too. Just tried it again. Makes sense since Edge is also using Chromium and is on 97 but I swear it was working yesterday.

 

[blackhawk74]

Having the same issue with our site as well, would love to see an official response to this

Just a note, having issues with connected accounts in general, not just Google.

 

[mbf]

Having the same issue with our site as well, would love to see an official response to this

Just a note, having issues with connected accounts in general, not just Google.

+1

 

[ingo.schramme]

Here:

Fixed - register_connected_account doesn't seem to correctly apply the _xfRedirect field

When logging in with Google/Twitter/another OAuth provider for the first time you are prompted to choose a username. After this, you get redirected back to the register confirm page rather than the page you were on previously even though $redirect is being passed into the template with the...

xenforo.com

 

[mattrogowski]

I think that's a separate issue to this.

 

[ingo.schramme]

Hi,

ah, you're right... damn. I thought the bug is fixed in the next release.

Regards, Ingo

 

[digitalpoint]

Ran into this for something else, but the root cause was the same (needing to set $sameSite = 'None';)

I was able to work around it by making my own Response class, then overriding the default one in the config.php file:

class Response extends \XF\Http\Response
{
   public function setCookieRaw($name, $value = '', $lifetime = 0, $path = '/', $domain = '', $secure = false, $httpOnly = true, $sameSite = null)
   {
      if ($sameSite === null)
      {
         $sameSite = 'None';
      }
      return parent::setCookieRaw($name, $value, $lifetime, $path, $domain, $secure, $httpOnly, $sameSite);
   }
}

A cleaner way to do it would be to support $sameSite as a config option similar to how $secure is.

public function setCookie($name, $value, $lifetime = 0, $secure = null, $httpOnly = true, $sameSite = null)
{
   $cookieConfig = $this->cookieConfig;

   $path = $cookieConfig['path'];
   $domain = $cookieConfig['domain'];
   $name = $cookieConfig['prefix'] . $name;

   if ($secure === null)
   {
      $secure = $cookieConfig['secure'];
   }

   if ($sameSite === null)
   {
      $sameSite = $cookieConfig['sameSite'];
   }

   return $this->setCookieRaw($name, $value, $lifetime, $path, $domain, $secure, $httpOnly, $sameSite);
}

Not sure what the ramifications of setting $sameSite = 'None'; as the default for everyone, but maybe it's necessary to retain the existing functionality of connected accounts?

 

[Jeremy P]

Are you guys still experiencing this? I can't reproduce it locally or here on this site with Chrome 99. I think lax cookies should still be visible for top-level cross-site redirects so long as they are GET requests, if I'm reading the spec right.