Skip to content

Fix Teams tab SSO broken by SameSite=Lax session cookies#3247

Open
patmr7 wants to merge 2 commits into
MOODLE_501_STABLEfrom
wip-132661-m501
Open

Fix Teams tab SSO broken by SameSite=Lax session cookies#3247
patmr7 wants to merge 2 commits into
MOODLE_501_STABLEfrom
wip-132661-m501

Conversation

@patmr7

@patmr7 patmr7 commented Jul 3, 2026

Copy link
Copy Markdown
Collaborator

Since MDL-83526 (Moodle 4.5.12, 5.0.8, 5.1.5 and 5.2.1), core sets SameSite=Lax on the session cookie, which browsers reject in the cross-site iframe of the Teams tab. The SSO login in sso_login.php succeeded server-side, but the browser dropped the cookie and the subsequent course page request was anonymous, showing the login page.

Re-emit the session cookie with "SameSite=None; Secure" after a successful SSO login, mirroring the exception core makes for the Moodle mobile app.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses Microsoft Teams tab SSO failures caused by Moodle core setting the session cookie SameSite=Lax, which is not accepted in a cross-site iframe context. After a successful SSO login, it re-emits the session cookie with SameSite=None; Secure so the browser will retain the authenticated session when embedded in Teams.

Changes:

  • After successful Teams SSO ($loginsuccess), re-emit the PHP session cookie with SameSite=None; Secure.
  • Preserve the existing behavior of returning 200 on success and 401 on failure.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Comment thread local/o365/sso_login.php
Comment on lines +172 to +182
// The session cookie set by core carries SameSite=Lax (MDL-83526), which browsers reject in
// the cross-site iframe of the Teams tab, so re-emit it with "SameSite=None; Secure".
if (is_moodle_cookie_secure()) {
setcookie(session_name(), session_id(), [
'path' => $CFG->sessioncookiepath,
'domain' => $CFG->sessioncookiedomain,
'secure' => true,
'httponly' => (bool) $CFG->cookiehttponly,
'samesite' => 'None',
]);
}

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread local/o365/sso_login.php
Since MDL-83526 (Moodle 4.5.12, 5.0.8, 5.1.5 and 5.2.1), core sets SameSite=Lax on the session cookie, which browsers reject in the cross-site iframe of the Teams tab. The SSO login in sso_login.php succeeded server-side, but the browser dropped the cookie and the subsequent course page request was anonymous, showing the login page.

Re-emit the session cookie with "SameSite=None; Secure" after a successful SSO login, mirroring the exception core makes for the Moodle mobile app.

Fix Teams tab SSO broken by SameSite=Lax session cookies

Since MDL-83526 (Moodle 4.5.12, 5.0.8, 5.1.5 and 5.2.1), core sets SameSite=Lax on the session cookie, which browsers reject in the cross-site iframe of the Teams tab. The SSO login in sso_login.php succeeded server-side, but the browser dropped the cookie and the subsequent course page request was anonymous, showing the login page.

Re-emit the session cookie with "SameSite=None; Secure" after a successful SSO login, mirroring the exception core makes for the Moodle mobile app.
@patmr7 patmr7 force-pushed the wip-132661-m501 branch from 22c9b96 to 274e889 Compare July 3, 2026 10:30
Since MDL-83526 (Moodle 4.5.12, 5.0.8, 5.1.5 and 5.2.1), core sets SameSite=Lax on the session cookie, which browsers reject in the cross-site iframe of the Teams tab. The SSO login in sso_login.php succeeded server-side, but the browser dropped the cookie and the subsequent course page request was anonymous, showing the login page.

Re-emit the session cookie with "SameSite=None; Secure" after a successful SSO login, mirroring the exception core makes for the Moodle mobile app.

Fix Teams tab SSO broken by SameSite=Lax session cookies

Since MDL-83526 (Moodle 4.5.12, 5.0.8, 5.1.5 and 5.2.1), core sets SameSite=Lax on the session cookie, which browsers reject in the cross-site iframe of the Teams tab. The SSO login in sso_login.php succeeded server-side, but the browser dropped the cookie and the subsequent course page request was anonymous, showing the login page.

Re-emit the session cookie with "SameSite=None; Secure" after a successful SSO login, mirroring the exception core makes for the Moodle mobile app.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Comment thread local/o365/sso_login.php
Comment on lines +183 to +190
$cookieparams = session_get_cookie_params();
setcookie(session_name(), session_id(), [
'path' => $cookieparams['path'],
'domain' => $cookieparams['domain'],
'secure' => true,
'httponly' => $cookieparams['httponly'],
'samesite' => 'None',
]);
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

None yet

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants