在使用多个启用了需要登录并采用 SSO 的 Discourse 实例时,我们在 iOS 的 Safari 浏览器上遇到了登录时无限重定向的问题。具体表现如下:
我在桌面版 Chrome 浏览器上无法复现此行为。
当客户端处于重定向循环时,会生成多条“已启动 SSO 进程”和“用户已登录”的日志条目,这表明 SSO 流程看似成功,但在完成 SSO 后,Discourse 却将用户重定向到了另一个 SSO 登录页面,而非起始页面。
此问题也影响此前 SSO 运行正常的旧实例,因此我认为这不是 Discourse 配置的问题。
有人知道可能是什么问题吗?
Any ideas on this @sam?
I have seen this on sites that have the setting same site cookies set to Strict, if it is already on Lax recommend attempting to disable and see if it works around the Safari bug.
Maybe the new Safari Tech Preview from today will fix it:
Fixed Same-Site Lax cookies to be sent with cross-site redirect from a client-initiated load (r241918)
You are 
% correct. It was on Lax, the default. Changing it to Disabled fixed the issue immediately. (I assume this is a defense-in-depth thing, on top of your usual CSRF protections, so disabling it is not overly terrible for security?)
Let’s hope for the best!
Thank you for your help!
I rate you 
(five stars plus wizarding level two)!
I’ve spent a very long time figuring out a similar issue was caused by this samsite=lax behaviour:
This fixes my issue - at least on macOS Mojave - so I assume it fixes it on iOS too. Thanks!
I’d also like to know people’s opinions on this.
What with this being the Mozilla Discourse and all, we don’t have a huge amount of traffic from Safari, so don’t want to make ourselves vulnerable to CSRF attacks for something which will benefit a very small proportion of our users.