Make this site private - not working in Chrome and Opera

[joe-blocher]

Issue Summary

Change or delete the row 58:
versions/5.54.4/core/frontend/apps/private-blogging/lib/middleware.js

return session({
           name: 'ghost-private',
           maxAge: constants.ONE_MONTH_MS,
           signed: false,
           sameSite: 'lax'     <----- row 58: instead of 'none' or delete row
       })(req, res, next);

Or you can delete the row 58 because sameSite: 'Lax' is the default value.
You can't code 'secure' within an object - secure: true will not work.

Works now in Chrome and Opera.
See https://web.dev/i18n/en/samesite-cookies-explained

Steps to Reproduce

See https://forum.ghost.org/t/make-this-site-private-not-working/39938/1

Ghost Version

5.54.4

Node.js Version

v18.15.0

How did you install Ghost?

local, macos

Database type

SQLite3

Browser & OS version

No response

Relevant log / error output

No response

Code of Conduct

• I agree to be friendly and polite to people in this repository

[joe-blocher]

Maybe you can implement, like the 'ghost-admin-api-session':
versions/5.54.4/core/server/services/auth/session/express-session.js

function getExpressSessionMiddleware() {
            ...
           name: 'ghost-admin-api-session',
            cookie: {
                maxAge: constants.SIX_MONTH_MS,
                httpOnly: true,
                path: urlUtils.getSubdir() + '/ghost',
                sameSite: urlUtils.isSSL(config.get('url')) ? 'none' : 'lax',
                secure: urlUtils.isSSL(config.get('url'))
            }
        });
    }
    return unoExpressSessionMiddleware;
}

[github-actions]

This issue is currently awaiting triage from @daniellockyer. We're having a busy time right now, but we'll update this issue ASAP. If you have any more information to help us triage faster please leave us some comments. Thank you for understanding 🙂

[joe-blocher]

In core/frontend/apps/private-blogging/lib/middleware.js:

´´´
const privateBlogging = {

    …
    return session({
        name: 'ghost-private',
        maxAge: constants.ONE_MONTH_MS,
        signed: false,
  //      sameSite: 'none'    <——— replace this with 2 lines below 
          sameSite: urlUtils.isSSL(config.get('url')) ? 'none' : 'lax',
          secure: urlUtils.isSSL(config.get('url'))
    })(req, res, next);
},

´´´

and all is fine!
Implement in the same way as you did in
core/server/services/auth/session/express-session.js

[github-actions]

This issue is currently awaiting triage from @daniellockyer. We're having a busy time right now, but we'll update this issue ASAP. If you have any more information to help us triage faster please leave us some comments. Thank you for understanding 🙂

[daniellockyer]

Hey there, thank you so much for the detailed bug report.

That does look like something that shouldn't happen! A PR to fix this issue would be very welcome 🙂

[joe-blocher]

I have made the PR

[hussainb]

Hi, I am facing the same issue in the latest version of Ghost, unable to login to the private site using Chrome based browsers.

[joe-blocher]

It's nearly three month later ... an nothing happened. But for me it closed, because I'm working locally :-)
https://forum.ghost.org/t/make-this-site-private-not-working/39938

[hussainb]

It's nearly three month later ... an nothing happened. But for me it closed, because I'm working locally :-) https://forum.ghost.org/t/make-this-site-private-not-working/39938

yeah, they didn't care to merge it. but I appreciate you for your troubleshooting and the fix.

I think just a rerun would be required to pass the build, otherwise the PR is already approved:

https://github.com/TryGhost/Ghost/actions/runs/6057836235/job/16821076886?pr=17938

[joe-blocher]

I have made my first PR. I think the 2. one failed: Merge branch 'main' into joe-blocher-patch-1 <ae0f64e> I don't really know what is for and how I can delete this PR...

…

Am 16.10.2023 um 08:45 schrieb Hussain ***@***.***>: It's nearly three month later ... an nothing happened. But for me it closed, because I'm working locally :-) https://forum.ghost.org/t/make-this-site-private-not-working/39938 <https://forum.ghost.org/t/make-this-site-private-not-working/39938> yeah, they didn't care to merge it. but I appreciate you for your troubleshooting and the fix. I think just a rerun would be required to pass the build, otherwise the PR is already approved: https://github.com/TryGhost/Ghost/actions/runs/6057836235/job/16821076886?pr=17938 <https://github.com/TryGhost/Ghost/actions/runs/6057836235/job/16821076886?pr=17938> <https://user-images.githubusercontent.com/4962633/275414297-2abc6c33-ed0c-442d-9e81-9cdbd0e405cd.png> — Reply to this email directly, view it on GitHub <#17514 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AWHNLAX5ONSU2FFFUG6MRN3X7TJZDANCNFSM6AAAAAA2ZM7QIU>. You are receiving this because you modified the open/close state.

[hussainb]

Maybe @daniellockyer can help

[joe-blocher]

You did't fix the error: Make this site private - not working not working in Chrome and Opera

SOLUTION - it told you in August 2023 and I have made the PR!

versions/5.82.2/core/frontend/apps/private-blogging/lib/middleware.js

`const privateBlogging = {
....

    return session({
        name: 'ghost-private',
        maxAge: constants.ONE_MONTH_MS,
        signed: false,

        sameSite:   urlUtils.isSSL(config.get('url')) ? 'none' : 'lax',  <------------ insert this
        secure: urlUtils.isSSL(config.get('url'))  <------------------------------ insert this
        //sameSite: 'none' <------------------------------------------  row 58: remove
    })(req, res, next);
},`

[joe-blocher]

The pull request still not merged in version 5.82.2:
Fixed private mode cookie for local development #17938

Why not?

[vikaspotluri123]

What makes you say the PR wasn't merged? The commit shows that it's been in releases starting from 5.70.0.

[joe-blocher]

I've downloaded the code:
versions/5.82.2/core/frontend/apps/private-blogging/lib/middleware.js
But the code is still the same:
return session({ name: 'ghost-private', maxAge: constants.ONE_MONTH_MS, signed: false, sameSite: 'none' <------------------------------------------ why this? })(req, res, next); },

[vikaspotluri123]

The code being the same does not mean your PR was not merged. In this case it looks like this change ended up possibly breaking something else so it was reverted:

#19298

[davedub]

The code being the same does not mean your PR was not merged. In this case it looks like this change ended up possibly breaking something else so it was reverted:

#19298

OK so that means it is still a problem. I am running 5.79.6 (released Feb 26) and cannot make the site private because of this bug. What's the ETA on solving this?

[joe-blocher]

The code being the same does not mean your PR was not merged. In this case it looks like this change ended up possibly breaking something else so it was reverted:
#19298

OK so that means it is still a problem. I am running 5.79.6 (released Feb 26) and cannot make the site private because of this bug. What's the ETA on solving this?

My solution:
I change always the code by myself, when I install an update. You have to change only 2 lines.
The first time I reported the solution in August 2023.
Maybe they will fix the bug sometimes ...