Forbidden error when trying to sign in - SameSite=None; Secure incompatible with old iOS, macOS, and Chrome
Forbidden error when trying to sign in
We're very sorry, but we're unable to log you in right now.
(Forbidden)
https://sentry.gitlab.net/gitlab/gitter-backend/issues/1238579/?referrer=gitlab_plugin
AuthenticationError: Forbidden
File "/opt/gitter/gitter-webapp/server/web/middlewares/passport-callback-for-strategy.js", line 17, in null.<anonymous>
handler(req, res, function(err) {
...
(23 additional frame(s) were not displayed)
AuthenticationError: Forbidden
Reproduction
We added SameSite=None; Secure
to our Gitter cookies in https://gitlab.com/gitlab-org/gitter/webapp/-/merge_requests/1994. These cookie attributes cause the cookie to be completely rejected in the following versions which leads to us thinking the user tried to sign in without the cookie.
This error will happen on any device running these versions:
- Chrome 51 - 66
- iOS 12
- Safari on MacOS 10.14
❌
iPhone 6 Chrome or Safari Mozilla/5.0 (iPhone; CPU iPhone OS 12_4 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) CriOS/84.0.4147.122 Mobile/15E148 Safari/604.1
✔
iPhone 8 Safari Mozilla/5.0 (iPhone; CPU iPhone OS 13_6_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.1.2 Mobile/15E148 Safari/604.1
How to fix?
Add user-agent sniffing to conditionally add SameSite=None; Secure
to the cookie. GitLab recently fixed this via gitlab-org/gitlab!40667 (merged)
Edited by Eric Eastwood