Skip to content

Fix Teams tab SSO broken by SameSite=Lax session cookies#3246

Merged
patmr7 merged 1 commit into
MOODLE_502_STABLEfrom
wip-132661-m502
Jul 7, 2026
Merged

Fix Teams tab SSO broken by SameSite=Lax session cookies#3246
patmr7 merged 1 commit into
MOODLE_502_STABLEfrom
wip-132661-m502

Conversation

@patmr7

@patmr7 patmr7 commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Since MDL-83526 (Moodle 4.5.12, 5.0.8, 5.1.5 and 5.2.1), core sets SameSite=Lax on the session cookie, which browsers reject in the cross-site iframe of the Teams tab. The SSO login in sso_login.php succeeded server-side, but the browser dropped the cookie and the subsequent course page request was anonymous, showing the login page.

Re-emit the session cookie with "SameSite=None; Secure" after a successful SSO login, mirroring the exception core makes for the Moodle mobile app.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Adjusts the Teams tab SSO flow to work around Moodle core’s SameSite=Lax session cookie behavior (introduced in MDL-83526) which prevents the browser from retaining the session in a cross-site iframe, causing the post-SSO navigation to appear anonymous.

Changes:

  • After a successful SSO login, re-emits the current session cookie with SameSite=None; Secure to allow it to be accepted in the Teams iframe.
  • Gates the re-emission behind a “secure cookies” check.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread local/o365/sso_login.php Outdated

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread local/o365/sso_login.php
@patmr7 patmr7 force-pushed the wip-132661-m502 branch from f0fed20 to cc05ca4 Compare July 3, 2026 10:28
Since MDL-83526 (Moodle 4.5.12, 5.0.8, 5.1.5 and 5.2.1), core sets SameSite=Lax on the session cookie, which browsers reject in the cross-site iframe of the Teams tab. The SSO login in sso_login.php succeeded server-side, but the browser dropped the cookie and the subsequent course page request was anonymous, showing the login page.

Re-emit the session cookie with "SameSite=None; Secure" after a successful SSO login, mirroring the exception core makes for the Moodle mobile app.

Fix Teams tab SSO broken by SameSite=Lax session cookies

Since MDL-83526 (Moodle 4.5.12, 5.0.8, 5.1.5 and 5.2.1), core sets SameSite=Lax on the session cookie, which browsers reject in the cross-site iframe of the Teams tab. The SSO login in sso_login.php succeeded server-side, but the browser dropped the cookie and the subsequent course page request was anonymous, showing the login page.

Re-emit the session cookie with "SameSite=None; Secure" after a successful SSO login, mirroring the exception core makes for the Moodle mobile app.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread local/o365/sso_login.php
Comment on lines +183 to +190
$cookieparams = session_get_cookie_params();
setcookie(session_name(), session_id(), [
'path' => $cookieparams['path'],
'domain' => $cookieparams['domain'],
'secure' => true,
'httponly' => $cookieparams['httponly'],
'samesite' => 'None',
]);
@patmr7 patmr7 merged commit 914e93e into MOODLE_502_STABLE Jul 7, 2026
38 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants