Thanks to visit codestin.com
Credit goes to github.com

Skip to content

bug: SameSite=Lax prevents coder_subdomain_app_session_token being properly set #17723

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Open
1 task done
jingyuanliang opened this issue May 8, 2025 · 0 comments
Open
1 task done

bug: SameSite=Lax prevents coder_subdomain_app_session_token being properly set #17723

jingyuanliang opened this issue May 8, 2025 · 0 comments
Labels
needs-triage Issue that require triage

Comments

@jingyuanliang
Copy link

jingyuanliang commented May 8, 2025
edited
Loading

Is there an existing issue for this?

  • I have searched the existing issues

Current Behavior

I have the following setup:

Coder runs at https://coder.mysite.com

Wildcard access URL at *.mysite.org

I use code-server with the Flutter extension (Dart-Code.flutter).

It has a Flutter Sidebar pane which doesn't work, showing up:

coder.mysite.com redirected you too many times.

Relevant Log Output

The pane is an iframe and has src: https://9101--main--gai--user.mysite.org/editorSidebar?cacheBust=dart-3.7.2-flutter-3.29.3&ide=VSCode&embedMode=one&theme=light&backgroundColor=f8f8f8&foregroundColor=3b3b3b

It gets redirected to: https://coder.mysite.com/api/v2/applications/auth-redirect?redirect_uri=https%3A%2F%2F9101--main--gai--user.mysite.org%2FeditorSidebar%3FcacheBust%3Ddart-3.7.2-flutter-3.29.3%26ide%3DVSCode%26embedMode%3Done%26theme%3Dlight%26backgroundColor%3Df8f8f8%26foregroundColor%3D3b3b3b

Then gets redirected to: https://9101--main--gai--user.mysite.org/editorSidebar?backgroundColor=f8f8f8&cacheBust=dart-3.7.2-flutter-3.29.3&coder_application_connect_api_key_35e783=xxxxxx&embedMode=one&foregroundColor=3b3b3b&ide=VSCode&theme=light

The response sends cookie: coder_subdomain_app_session_token=xxx; Path=/; Domain=mysite.org; HttpOnly; SameSite=Lax

... and redirects me to: https://9101--main--gai--user.mysite.org/editorSidebar?backgroundColor=f8f8f8&cacheBust=dart-3.7.2-flutter-3.29.3&embedMode=one&foregroundColor=3b3b3b&ide=VSCode&theme=light

... but the cookie is ignored by Chrome for having SameSite=Lax and not at top-level navigation, so the next request is sent without cookies, which goes back to the beginning of this loop.

Expected Behavior

The content of the pane can show up.

This can likely be done by setting SameSite=None.

Steps to Reproduce

  1. Set up coder with wildcard access URL at a different domain than the primary one. (I'm not sure if this "different domain" is a required trigger)
  2. Run code-server and install extension Dart-Code.flutter
  3. Try to use the Flutter Sidebar tool and it can't show up correctly
  4. There seems to be a https://coder.com/docs/reference/cli/server#--samesite-auth-cookie but I tried setting the env var CODER_SAMESITE_AUTH_COOKIE to none and it doesn't take effect (the Set-Cookie still has SameSite=Lax).

Environment

  • Host OS: Google Chrome Version 136.0.7103.92 (Official Build) (64-bit)
  • Coder version: v2.21.3+bd1ef88

Additional Context

I have tested this on the latest version, The issue occurs consistently
@jingyuanliang jingyuanliang added the needs-triage Issue that require triage label May 8, 2025
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
needs-triage Issue that require triage
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@jingyuanliang