Uploaded image for project: 'Sakai'
  1. Sakai
  2. SAK-39319

Create LoadBalancer Cookie For Use in SameSite=strict Scenarios

    XMLWordPrintable

    Details

    • Type: Bug
    • Status: OPEN
    • Priority: Major
    • Resolution: Unresolved
    • Affects Version/s: 12.1, 19.0
    • Fix Version/s: None
    • Component/s: Kernel
    • Labels:
      None
    • Previous Issue Keys:
      KNL-1592
    • Test Plan:
      Hide

      Please add a Test Plan here.

      Show
      Please add a Test Plan here.

      Description

      Sites using a load balancer with multiple Sakai App Servers and sticky sessions, depend on the loadbalancer host appended to the session cookie as a mechanism to route incoming requests to the correct server on the load balancer.  If we set SameSite=strict, on the session cookie, the session will not be sent on GET requests that originate from another server.  This would (for example) break situations where a user logs into Sakai and then goes to a portal or something that lists their classes and clicks on a deep link into a Sakai class.   It would also cause a problem if a teacher made a Google Site as their Lessons tool that had links back into Sakai.

      There are many scenarios where simple GET urls into Sakai might come from a website outside Sakai.   One solution is to never go beyond SameSite=lax and that might be enough for many sites, but some sites might want to use SameSite=strict.

      I think that the solution is to put out another cookie that simply is the server within the cluster without the session ID.   This way if folks wanted to work hard enough they could go with SameSite=strict and loadbalance using this other cookie.

      It seems like a simple enough feature that we should get this early and back port it to any version of Sakai that ends up with the SameSite feature in KNL-1584 

        Gliffy Diagrams

          Attachments

            Issue Links

              Activity

                People

                • Assignee:
                  Unassigned
                  Reporter:
                  csev Charles Severance
                • Votes:
                  0 Vote for this issue
                  Watchers:
                  8 Start watching this issue

                  Dates

                  • Created:
                    Updated:

                    Git Source Code