Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

ENH Refactor password reset to support SameSite=Strict #11566

Draft
wants to merge 1 commit into
base: 5
Choose a base branch
from
Draft

ENH Refactor password reset to support SameSite=Strict #11566

wants to merge 1 commit into from

Conversation

Cheddam
Copy link
Member

@Cheddam Cheddam commented Jan 20, 2025

Description

Performing an immediate redirect on a request from an external website, such as a web-based email client, causes the new request to be treated as external, and when the session cookie is set to Samesite=Strict, this prevents the cookie from being sent by the browser, triggering a fresh session. This meant that the existing password reset mechanism would not function in this mode, as the AutoLoginHash was being stored in the session and immediately lost, triggering a redirect to the login form.

This change refactors the change password handler to instead push the AutoLoginHash value into the change password form as a hidden field, ensuring it can be read during submission.

It also includes broader test coverage of the change password handler, though this remains incomplete due to time constraints.

Manual testing steps

Enable SameSite=Strict on session cookies:

SilverStripe\Control\Session:
  cookie_samesite: 'Strict'

Issues

Pull request checklist

  • The target branch is correct
  • All commits are relevant to the purpose of the PR (e.g. no debug statements, unrelated refactoring, or arbitrary linting)
    • Small amounts of additional linting are usually okay, but if it makes it hard to concentrate on the relevant changes, ask for the unrelated changes to be reverted, and submitted as a separate PR.
  • The commit messages follow our commit message guidelines
  • The PR follows our contribution guidelines
  • Code changes follow our coding conventions
  • This change is covered with tests (or tests aren't necessary for this change)
  • Any relevant User Help/Developer documentation is updated; for impactful changes, information is added to the changelog for the intended release
  • CI is green

@Cheddam Cheddam mentioned this pull request Jan 20, 2025
Open
2 tasks
@Cheddam
ENH Refactor password reset to support SameSite=Strict
9b74757 
Performing an immediate redirect on a request from an external website,
such as a web-based email client, causes the new request to be treated
as external, and when the session cookie is set to Samesite=Strict, this
prevents the cookie from being sent by the browser, triggering a fresh
session. This meant that the existing password reset mechanism would
not function in this mode, as the AutoLoginHash was being stored in the
session and immediately lost, triggering a redirect to the login form.

This change refactors the change password handler to instead push the
AutoLoginHash value into the change password form as a hidden field,
ensuring it can be read during submission.

It also includes broader test coverage of the change password handler,
though this remains incomplete due to time constraints.
@Cheddam Cheddam force-pushed the pulls/5/password-reset-samesite-strict-compatibility branch from 9605a37 to 9b74757 Compare January 20, 2025 01:42
GuySartorelli
GuySartorelli requested changes Jan 27, 2025
View reviewed changes
Copy link
Member

@GuySartorelli GuySartorelli left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Haven't really looked at this properly, just saw some red thumbs sticking out.

src/Security/MemberAuthenticator/ChangePasswordHandler.php
* @param Member $member
* @param string $token
*/
protected function setSessionToken($member, $token)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't remove protected functions in a minor release, as they count as part of our "Public API" - see https://docs.silverstripe.org/en/5/project_governance/public_api/

src/Security/MemberAuthenticator/ChangePasswordHandler.php
@@ -319,10 +291,18 @@ public function doChangePassword(array $data, $form)
*
* @return HTTPResponse
*/
public function redirectBackToForm()
public function redirectBackToForm(?int $withMemberID = null, ?string $withToken = null)
Copy link
Member

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

We can't amend public method signatures in a minor release, as they count as part of our "Public API" - see https://docs.silverstripe.org/en/5/project_governance/public_api/

@Cheddam
Copy link
Member Author

Cheddam commented Jan 31, 2025

Might point this at CMS 6 if we wanna go ahead with it - will require tweaks to the MFA module subclasses too, and I don't think there's a clean way to refactor it without breaking semver.

@GuySartorelli
Copy link
Member

Sounds like a plan to me.
There are a couple of kinda-related issues you might want to look at at the same time:

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@GuySartorelli GuySartorelli GuySartorelli requested changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.
2 participants
@Cheddam @GuySartorelli