1

When a user clicks a button on my site, a new window is opened to a third party site where the user browses items. After clicking an item, the new window is redirected back to my site with data about the item.

At this point (after the final redirect back to my site, not before), my site's session cookie (along with other cookies, my csrf token cookie is affected as well) is erased/lost/refreshed or whatever. If I reload the page on the "main" window (or even the new window), the old session is gone and the user is redirected back to my login page.

Example of the response header set-cookie on my site:

mysite_session=XXXXXXXXXXXXX; path=/; domain=.mysite.test; httponly; samesite=lax

I am using Laravel framework for PHP, although this should not be a factor as I had this same exact problem using pure PHP before I started converting my app to Laravel.

Code about each step:

  1. User clicks a button on my site.
$(document).on("click", "#btn-open", function()
{
    const url = "https://mysite.test/browse";
    window.open(url, "_blank", "scrollbars=yes,resizable=yes");
});

1.5. A new window is opened. This will go through my site to get a single-use url to the third party site using their API.

https://mysite.test/browse is technically just:

<?php
$api = new ThirdPartyApi(/* data and stuff */);
$url = $api->getBrowseUrl();
?>
<html>
<body>
<h1>Wait - Redirecting...</h1>
<script>window.location.href = "<?php $url;?>";</script>
</body>
</html>

  1. User is redirected to the third party site (different domain).

  2. After clicking an item, the user is redirected back to my site (https://mysite.test/return) with POST-data about the item.

https://mysite.test/return is technically just:

<?php
$itemData = json_encode($_POST["item"]);
?>
<html>
<body>
<script>
const itemData = <?php $itemData;?>;
// Do stuff with item data, example commented as it's unrelated
//window.opener.thirdPartyCallbackFunc(itemData);
//window.close();
</script>
</body>
</html>

I just cannot understand how is it possible that a third party site can somehow cause my own site's cookie to get modified.

Is it possible that the third party site is doing something strange with cookies or have I done something wrong? Anyone got any ideas?

bloodleh
  • 493
  • 8
  • 28
  • Please check your code (in all pages) on whether any cookies are set / altered on the value of itemData – Ken Lee Jul 22 '21 at 01:53
  • @KenLee No cookies are set or altered anywhere in the code on these pages. – bloodleh Jul 22 '21 at 02:11
  • @KenLee Seconds or minutes. While testing, it has only been a couple seconds. – bloodleh Jul 22 '21 at 02:41
  • For further debugging: can you try using another browser to test ? (firefox / chrome / IE / opera) and see whether the problem persists ? – Ken Lee Jul 22 '21 at 02:51
  • @KenLee Tested on Chrome, Firefox and Edge, the problem persists. – bloodleh Jul 22 '21 at 03:27
  • Do your cookies depend on $api object ? If u are not sure, change $api to $api2 and retry – Ken Lee Jul 22 '21 at 03:50
  • @KenLee Nope, the api object just makes a POST-request to the third party API which returns the single-use url. The cookies are also fine while browsing the items, when everything is already done with api object. – bloodleh Jul 22 '21 at 04:16
  • So step 3.) means, the third-party site outputs a form on their end, and submits it automatically, to your site? `samesite=lax` is supposed to prevent the cookie from being send in that scenario, you will need to explicitly set `samesite=none`. – CBroe Jul 22 '21 at 06:55
  • @CBroe I read the third party source code and it indeed creates a hidden form and autosubmits it to my site. Didn't realize `lax` works that way too. Is it possible to use `none` only for specific requests and then continue using `lax`? Or should I just set `none` globally and go with that for this use case? – bloodleh Jul 22 '21 at 07:28
  • You would have to set your session cookie with `none` before that redirect to the 3rd-party site happens, and then you could set it with `lax` again afterwards … but that is probably asking for trouble, for example if the user has multiple tabs of your site opened in their browser, then you might be overwriting it with the wrong value in a different place at the wrong time … – CBroe Jul 22 '21 at 07:35
  • @CBroe I tested with the `samesite=none` now and it worked! Thank you! – bloodleh Jul 22 '21 at 13:45

0 Answers0