Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-39319

Create LoadBalancer Cookie For Use in SameSite=strict Scenarios

    Details

    • Type: Bug
    • Status: OPEN
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 12.1, 19.0
    • Fix Version/s: None
    • Component/s: Kernel
    • Labels:
      None
    • Previous Issue Keys:
      KNL-1592
    • Test Plan:
      Hide

      Please add a Test Plan here.

      Show
      Please add a Test Plan here.

      Description

      Sites using a load balancer with multiple Sakai App Servers and sticky sessions, depend on the loadbalancer host appended to the session cookie as a mechanism to route incoming requests to the correct server on the load balancer.  If we set SameSite=strict, on the session cookie, the session will not be sent on GET requests that originate from another server.  This would (for example) break situations where a user logs into Sakai and then goes to a portal or something that lists their classes and clicks on a deep link into a Sakai class.   It would also cause a problem if a teacher made a Google Site as their Lessons tool that had links back into Sakai.

      There are many scenarios where simple GET urls into Sakai might come from a website outside Sakai.   One solution is to never go beyond SameSite=lax and that might be enough for many sites, but some sites might want to use SameSite=strict.

      I think that the solution is to put out another cookie that simply is the server within the cluster without the session ID.   This way if folks wanted to work hard enough they could go with SameSite=strict and loadbalance using this other cookie.

      It seems like a simple enough feature that we should get this early and back port it to any version of Sakai that ends up with the SameSite feature in KNL-1584 

        Gliffy Diagrams

          Zeplin

            Attachments

              Issue Links

                Activity

                  People

                  Assignee:
                  Unassigned Unassigned
                  Reporter:
                  csev Charles Severance
                  Votes:
                  0 Vote for this issue
                  Watchers:
                  9 Start watching this issue

                    Dates

                    Created:
                    Updated:

                      Git Integration