Infinite SSO redirect on Safari

With multiple Discourse instances that have login required set and use SSO, we’re experiencing infinite redirects on login with Safari on iOS. Here’s what happens:

  1. User is not logged in in Discourse or SSO master site.
  2. User navigates to Discourse instance.
  3. Discourse redirects to SSO page.
  4. SSO page prompts for credentials. User logs in.
  5. User is stuck in a redirect loop between the SSO master site and Discourse, until Safari gives up.
  6. If the user then manually navigates to Discourse again, he is logged in.

I cannot reproduce this behavior with Chrome on the desktop.
While a client is in the redirect loop, multiple Started SSO process and User was logged on entries are generated, so it looks like the SSO process is successful, but somehow, after completing SSO, Discourse redirects the user to another SSO login, not to the start page.

This also affects old instances where SSO has worked fine before, so I do not think this is a Discourse configuration issue.

Does anyone have an idea what could be wrong here?


Any ideas on this @sam?

I have seen this on sites that have the setting same site cookies set to Strict, if it is already on Lax recommend attempting to disable and see if it works around the Safari bug.


Maybe the new Safari Tech Preview from today will fix it:

Fixed Same-Site Lax cookies to be sent with cross-site redirect from a client-initiated load (r241918)


You are :100:% correct. It was on Lax, the default. Changing it to Disabled fixed the issue immediately. (I assume this is a defense-in-depth thing, on top of your usual CSRF protections, so disabling it is not overly terrible for security?)

Let’s hope for the best!

Thank you for your help!

I rate you :star2::star2::star2::star2::star2::mage::mage: (five stars plus wizarding level two)!


:man_facepalming: I’ve spent a very long time figuring out a similar issue was caused by this samsite=lax behaviour:

This fixes my issue - at least on macOS Mojave - so I assume it fixes it on iOS too. Thanks!

I’d also like to know people’s opinions on this.

What with this being the Mozilla Discourse and all, we don’t have a huge amount of traffic from Safari, so don’t want to make ourselves vulnerable to CSRF attacks for something which will benefit a very small proportion of our users.