WordPress ends up in a redirect loop (missing SameSite cookie attribute)

  • maxpaj
    Participant
    # 8 months, 3 weeks ago

    I’m trying to <iframe> my WordPress site which is using miniOrange SAML 2.0 SSO together with Azure AD.

    The <iframe> simply shows up as a gray page. When I look at the network tab in Chrome, I can see that there is a redirect loop. The site works when I visit it through it’s URL, but it does not work as a <iframe>.

    I can see that the set-cookie header for the WP-login fails due to missing SameSite attribute.

    Network log

    Is it possible somehow to add a SameSite attribute to the set-cookie header?

    pranavinamdar
    Participant
    # 8 months, 3 weeks ago

    Hello there,

    AAD doesn’t allow to open the login page in iframe due to security reasons. It is required to prevent click-jacking attacks. You can refer to owasp documentation from here. [ Link ]

    Let me know if have additional questions.

    maxpaj
    Participant
    # 8 months, 3 weeks ago

    What if the user is already logged into AAD?

Viewing 3 posts - 1 through 3 (of 3 total)

You must be logged in to reply to this topic.