WebSocket session authentication with SameSite cookie
Have you tried configuring same site in Traccar? For example, like this:
<entry key='web.sameSiteCookie'>None</entry>The third-party doesn't want to do that as they see it as a privacy concern, though I disagree. Can you maybe shed some light on this?
Then maybe you can just proxy everything to be on the same domain.
I'll have a look at that. Am currently using a proxy for some GET /positions requests, so might be able to use that for the WebSocket also. Though, I still feel like adding the entry would be the more elegant solution. Is there really a security concern there?
Thanks for the quick responses!
There is some concern, but it's up to you to make the decision.
I've been trying to get a proxy to work but can't really figure it out. Do you have a suggestion where I should look or is there a bit of Traccar demo code I could use?
You can check some examples here:
Heya!
I'm working on integrating a Traccar API into a Cordova app, powered by a third party. I'd like to use the WebSocket feature, but I can't seem to get the authentication working.
After setting the JSESSIONID cookie via POST /session, the cookie does not like to be sent along with further requests, as the cookie is blocked by Chomium browsers (see the image below). Info on SameSite can be found here: https://www.chromium.org/updates/same-site
Disabling flags #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure in chrome://flags made the code (with the POST session request) work flawlessly, but as of Chrome 91, these flags have been disabled and of course, you cannot just enable the flags inside a Cordova app.
Is there a way to send along the cookie without having the same origin as the API host? I thought of sending the JSESSIONID value via GET in the WSS url (ex. wss://traccar.thirdparty.com/api/socket?auth={JSESSIONIDvalue} ), but this would require server-side tweaks.