Same-site cookie attribute

JosephNewton · November 29, 2019, 6:50am

The Chrome team have recently announced their intention to change the way their browser handles cookies that have no same-site cookie attribute: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

As far as I can tell, this will affect the saml-session cookie. Can you confirm that you are aware of the issue? And that if required, you have plans to ensure continued compatibility with all currently usable browsers?

Cheers.

ComponentSpace · November 29, 2019, 5:24pm

Thanks for your post, Yes, we’re aware of the issue and this will impact the saml-session cookie.
<ahref=“https: www.chromestatus.com=”" feature=“” 5088147346030592"=“”>https://www.chromestatus.com/feature/5088147346030592

When adding the cookie, we specify SameSiteMode.None. However, depending on the version of ASP.NET Core, this may not result in a SameSite value being sent to the browser.

</ahref=“https:>There are changes in ASP.NET Core that are related to this.
https://github.com/aspnet/AspNetCore/issues/8212
<ahref=“https: github.com=”” aspnet=“” aspnetcore=“” issues=“” 12125"=“”>https://github.com/aspnet/AspNetCore/issues/12125
</ahref=“https:><ahref=“https: stackoverflow.com=”” questions=“” 56988877=“” samesite-cookie-attribute-ommited-by-asp-net-core"=“”>https://stackoverflow.com/questions/56988877/samesite-cookie-attribute-ommited-by-asp-net-core
</ahref="https:>
You may have to update your version of ASP.NET Core. I’ll provide further details next week.

ComponentSpace · December 5, 2019, 9:38pm

Please refer to:
https://www.componentspace.com/Forums/10491/SAML-cookie-SameSite-mode

JosephNewton · December 6, 2019, 1:09am

Thanks for the updates.

Do you have any plans to handle the small number of incompatible clients or are they no longer supported?

See https://web.dev/samesite-cookie-recipes/#handling-incompatible-clients and https://www.chromium.org/updates/same-site/incompatible-clients

If these clients are no longer supported, then that information should probably be included in the knowledge base post you’ve linked to in the previous reply, otherwise people are going to find it very difficult to diagnose why authentication no longer works for certain clients.

Cheers.

ComponentSpace · December 6, 2019, 3:21am

We don’t have a definitive position on this yet.
Finding a solution that works for all versions of all browsers may prove difficult.
There are some workarounds we’re considering but none are ideal.
We will provide an update at some stage regarding browser support and possible workarounds.