Allow non Same-Site Cookies set on first request

[pointhi]

• Resolves: [Bug]: Same Site Cookies Not Set if First Request has Cookies (412 Precondition Failed) #41210

Summary

When any cookie is already present during the first request (e.g. an Apache module may choose to set it for various reasons) a 412 Precondition Failed error is returned on the first request. The second request works as intended as the Same-Site Cookies are now set correctly.

This breaks for example CalDAV/CardDAV syncs with Davx5 as the request is not retried after the first failure.

The proposed fix is to check for the explicit existence of nc_sameSiteCookielax or nc_sameSiteCookiestrict instead of just checking if any cookie exists. I used the proposed fix from the issue, but I think we can remove count($_COOKIE) > 0 as it looks redundant now.

Checklist

• Code is properly formatted
• Sign-off message is added to all commits
• Tests (unit, integration, api and/or acceptance) are included
• Screenshots before/after for front-end changes
• Documentation (manuals or wiki) has been updated or is not required
• Backports requested where applicable (ex: critical bugfixes)

[github-actions]

Hello there,
Thank you so much for taking the time and effort to create a pull request to our Nextcloud project.

We hope that the review process is going smooth and is helpful for you. We want to ensure your pull request is reviewed to your satisfaction. If you have a moment, our community management team would very much appreciate your feedback on your experience with this PR review process.

Your feedback is valuable to us as we continuously strive to improve our community developer experience. Please take a moment to complete our short survey by clicking on the following link: https://cloud.nextcloud.com/apps/forms/s/i9Ago4EQRZ7TWxjfmeEpPkf6

Thank you for contributing to Nextcloud and we hope to hear from you soon!

[thebaron06]

I can confirm that this solution is working and would appreciate this being merged.

[provokateurin]

I understand the idea of the fix and why it is not working correctly at the moment, but I fail to see why this is necessary in the first place. What use-case does this fix? When do you already have a cookie present?

[provokateurin]

Suggested change

	if (count($_COOKIE) > 0 && (isset($_COOKIE['nc_sameSiteCookielax']) || isset($_COOKIE['nc_sameSiteCookiestrict']))) {
	if (isset($_COOKIE['nc_sameSiteCookielax']) || isset($_COOKIE['nc_sameSiteCookiestrict'])) {

And adjust the elseif below to be a simple else.

[thebaron06]

For me the use-case is to allow the DAVx5 App to sync my contacts and calendars to and AIO instance of nextcloud.
If I understood it correctly, DAVx5 has already a same site cookie set on it's first request and sticks strict to a spec that says: 'don't try again on anything else than a 200 http code' or so. But there exists davx5 issues where this behavior is discussed.