Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Fixed private mode cookie for local development #17938

Merged
merged 3 commits into from
Oct 16, 2023

Conversation

joe-blocher
Copy link
Contributor

@joe-blocher joe-blocher commented Sep 2, 2023

"Make this site private" - not working in Chrome and Opera
Closes #17514


🤖 Generated by Copilot at acad566

Fix private blogging cookie issue with Chrome 80+. Update sameSite and secure options for the cookie in middleware.js based on SSL configuration.

@@ -55,7 +55,8 @@ const privateBlogging = {
name: 'ghost-private',
maxAge: constants.ONE_MONTH_MS,
signed: false,
sameSite: 'none'
sameSite: urlUtils.isSSL(config.get('url')) ? 'none' : 'lax',
secure: urlUtils.isSSL(config.get('url'))
Copy link
Contributor

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Ghost is intended to work locally, over http, as well in production, over https.

Before, the sameSite attribute for the cookie was always set to none.

Here's what the MDN docs have to say about the sameSite attribute:

None specifies that cookies are sent on both originating and cross-site requests, but only in secure contexts (i.e., if SameSite=None then the Secure attribute must also be set).

But for the local-development case in the bug report, the secure flag wasn't being set and can't be set.

Here, the proposed solution it continue to sameSite: none just as before in the https/production case, but resolves the issue by setting sameSite: lax for the local case.

As @joe-blocher points out, Ghost is already using the exact same solution in core/server/services/auth/session/express-session.js for a similar case.

This change LGTM. I recommend merging.

@daniellockyer daniellockyer changed the title Fixed: Set cookie in privateBlogging - Update middleware.js Fixed private mode cookie for local development Oct 16, 2023
@daniellockyer daniellockyer merged commit f303eee into TryGhost:main Oct 16, 2023
16 checks passed
@joe-blocher joe-blocher deleted the joe-blocher-patch-1 branch October 16, 2023 09:16
ronaldlangeveld added a commit that referenced this pull request Dec 11, 2023
ronaldlangeveld added a commit that referenced this pull request Dec 11, 2023
@joe-blocher
Copy link
Contributor Author

Not fixed in version 5.82.2!

@kilmarnock
Copy link

I observe the error in 5.91.1. Can I help with some debug information?

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
None yet
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Make this site private - not working in Chrome and Opera
4 participants