ComponentSpace

Forums



Same-site cookie attribute


Same-site cookie attribute

Author
Message
JosephNewton
JosephNewton
New Member
New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)

Group: Forum Members
Posts: 5, Visits: 41
The Chrome team have recently announced their intention to change the way their browser handles cookies that have no same-site cookie attribute: https://blog.chromium.org/2019/10/developers-get-ready-for-new.html

As far as I can tell, this will affect the saml-session cookie. Can you confirm that you are aware of the issue? And that if required, you have plans to ensure continued compatibility with all currently usable browsers?

Cheers.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Thanks for your post, Yes, we're aware of the issue and this will impact the saml-session cookie.
https://www.chromestatus.com/feature/5088147346030592

When adding the cookie, we specify SameSiteMode.None. However, depending on the version of ASP.NET Core, this may not result in a SameSite value being sent to the browser.

There are changes in ASP.NET Core that are related to this.
https://github.com/aspnet/AspNetCore/issues/8212
https://github.com/aspnet/AspNetCore/issues/12125
https://stackoverflow.com/questions/56988877/samesite-cookie-attribute-ommited-by-asp-net-core

You may have to update your version of ASP.NET Core. I'll provide further details next week.

Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Please refer to:
https://www.componentspace.com/Forums/10491/SAML-cookie-SameSite-mode


Regards
ComponentSpace Development
JosephNewton
JosephNewton
New Member
New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)New Member (15 reputation)

Group: Forum Members
Posts: 5, Visits: 41
Thanks for the updates. 

Do you have any plans to handle the small number of incompatible clients or are they no longer supported?

See https://web.dev/samesite-cookie-recipes/#handling-incompatible-clients and https://www.chromium.org/updates/same-site/incompatible-clients

If these clients are no longer supported, then that information should probably be included in the knowledge base post you've linked to in the previous reply, otherwise people are going to find it very difficult to diagnose why authentication no longer works for certain clients. 

Cheers. 
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
We don't have a definitive position on this yet.
Finding a solution that works for all versions of all browsers may prove difficult.
There are some workarounds we're considering but none are ideal.
We will provide an update at some stage regarding browser support and possible workarounds.

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 1 query. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search