JSESSIONID cookie and SameSite attribute

[David Hug]

I encounter a problem in chrome when loading the [join url][2] in an iframe.
(The bbb server is on a different domain than the site containing the iframe)
Certain chrome user get 401 "Session ... not found".

The problem is that in newer chrome the JSESSIONID cookie gets

rejected because of the SameSite attribute not being set. There are recent
[changes][1] in chrome that default SameSite to Lax instead of None.
If I understand this correctly the JSESSIONID cookie should be set with attributes

    SameSite=None; Secure

Is my understanding correct? Is this something that will be addressed or is my
iframe setup not generally supported?

Thanks

David

[David Hug]

Forgotten links:

[1]: https://www.chromium.org/updates/same-site
[2]: https://docs.bigbluebutton.org/dev/api.html#join

[Siddhartha Dev Gupta]

Hey David, did you find any solutions or workaround for this? Facing the same issue.

[Pedro Beschorner Marin]

Try something like this https://github.com/bigbluebutton/bigbluebutton/issues/9998#issuecomment-673472247

[Francis D Souza]

In the properties file there is a parameter allowwithoutsession

Set it to true

It worked for me.

By the way iframe works for me. I faced 401 issue when accessing iframe via webview other wise through browser it works great

--
You received this message because you are subscribed to the Google Groups "BigBlueButton-dev" group.
To unsubscribe from this group and stop receiving emails from it, send an email to bigbluebutton-...@googlegroups.com.
To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/5adeb658-95e0-4437-a820-4e69fdbafd37n%40googlegroups.com.

[Felipe Cecagno]

Make sure you understand the implications of using allowwithoutsession=true - the only information used to authenticate the user will be the sessionToken in the client URL, so if it's shared by a user, it will be possible to join the session without a proper JOIN in the API.

--

   Felipe Cecagno

To view this discussion on the web visit https://groups.google.com/d/msgid/bigbluebutton-dev/CAEwef5byhwdT8HXHa0QXwrDEHQQa4%2BHGnHHfu-3FRoh0GK-4Ng%40mail.gmail.com.

[Lars Kiesow]

Copying over my answer from the other thread:

Chromium based browsers are starting to roll out stricter same-site cookie rules. It really depends on your integration if you need to make any modifications.

If you need that, you can easily set that in Nginx which BigBlueButton generally uses as reverse proxy by adding something like this:

    proxy_cookie_path / "/; secure; HttpOnly; SameSite=none"

Please make sure to understand what you are setting here before implementing this though.

[Rajesh Francis]

Hi Dsouza,

Can you please advice what all did you do to make the iframe work. Many thanks for your help. I tried various things but wont work

Here is my question

Does the iframe tag works? Would you mind advising me how to make iframe work.. What settings we need to do at the server level . I tried implementing iframe and i get authentication issue; Guess something to do with cookies. Both my app and bbb server are in https mode  and they are hosted in 2 ec2 servers in aws.

I am ready to offload this work and pay for the effort.

The client doesn't wants the user to go out of the web application and hence we need to embed the BBB and give that seamless experience. 

Your help is appreciated. I have done enough googling and can't find the solution and hence need your attention.

Regards