Same-site cookie attribute

The Chrome team have recently announced their intention to change the way their browser handles cookies that have no same-site cookie attribute:

As far as I can tell, this will affect the saml-session cookie. Can you confirm that you are aware of the issue? And that if required, you have plans to ensure continued compatibility with all currently usable browsers?


Thanks for your post, Yes, we’re aware of the issue and this will impact the saml-session cookie.
<ahref=“https:”" feature=“” 5088147346030592"=“”>

When adding the cookie, we specify SameSiteMode.None. However, depending on the version of ASP.NET Core, this may not result in a SameSite value being sent to the browser.

</ahref=“https:>There are changes in ASP.NET Core that are related to this.
<ahref=“https:”” aspnet=“” aspnetcore=“” issues=“” 12125"=“”>
</ahref=“https:><ahref=“https:”” questions=“” 56988877=“” samesite-cookie-attribute-ommited-by-asp-net-core"=“”>
You may have to update your version of ASP.NET Core. I’ll provide further details next week.

Please refer to:

Thanks for the updates.

Do you have any plans to handle the small number of incompatible clients or are they no longer supported?

See and

If these clients are no longer supported, then that information should probably be included in the knowledge base post you’ve linked to in the previous reply, otherwise people are going to find it very difficult to diagnose why authentication no longer works for certain clients.


We don’t have a definitive position on this yet.
Finding a solution that works for all versions of all browsers may prove difficult.
There are some workarounds we’re considering but none are ideal.
We will provide an update at some stage regarding browser support and possible workarounds.