https://bugs.koha-community.org/bugzilla3/show_bug.cgi?id=33259
--- Comment #59 from David Cook <[email protected]> --- (In reply to David Cook from comment #58) > In my App, I don't think that I have the ability to use different SameSite > attributes for anonymous sessions vs authenticated sessions. It's governed > by config for a plugin to the MVC framework. I might have a little play, but > I'm thinking I might just use a different cookie for managing the whole SSO > interaction. > > I'll let you know how I go... I ended up saving the app sessionid in a "sso cookie" with a very short expiry and a SameSite of Lax. So when the SSO redirected back to the App, I used the "sso cookie" to get the sessionid, looked up the older anonymous session using the sessionid, and then I was able to access the relevant state data. I used that to validate the "state" value, fetch the redirect_uri I used for the auth request, etc. It seemed like the least amount of change to get the desired result while still maintaining security. -- At some point with Koha it would be nice to be able to redirect back to the point where the SSO was initiated, but that's difficult with Plack since the request uri gets shortened to "/opac" and "/intranet", although I guess we can always have rewrites for those. -- You are receiving this mail because: You are watching all bug changes. _______________________________________________ Koha-bugs mailing list [email protected] https://lists.koha-community.org/cgi-bin/mailman/listinfo/koha-bugs website : http://www.koha-community.org/ git : http://git.koha-community.org/ bugs : http://bugs.koha-community.org/
