ComponentSpace

Forums



Cookies SameSite mode 'None' not working


Cookies SameSite mode 'None' not working

Author
Message
Mohit Sharma
Mohit Sharma
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Awaiting Activation
Posts: 2, Visits: 10
Hi All,
I am using SAML version 2.6.0.8 in my site and followed the below steps to make it compatible to chrome update but when i check it in browser samsite mode=none is not visible(Screen shot attached).

What to do ifusing SAML Library releases from v2.5.0 but earlier than v3.0.0
SAML library v2.5.0 introduced the SAMLhigh-level API which uses a cookie to maintain SAML session state.

The ASP.NET session cookie, rather than aseparate SAML session cookie, is used to maintain SAML session state.

The ASP.NET session cookie must include aSameSite value of None and should be marked as secure.

To achieve this:

1. Update the web server to the latest ASP.NETrelease (ie ASP.NET v4.8 or later) to pick up the runtime support for SameSite.

Note that the application may continue to targetan earlier version of the .NET framework. For example, your application's projectmay continue to target .NET framework v4.0 but you need to update the webserver to ASP.NET v4.8.

2. Update the application's web.config tospecify the following.


<sessionState cookieSameSite="None" />
<httpCookies requireSSL="true"/>



3. Confirm that SameSite is working as describedin the section below.

Without these changes, the SameSite parameter ismissing or set to either Lax or Strict.


set-cookie: ASP.NET_SessionId=dwhtw4ajbxblp5pw5arwf0ww; path=/; HttpOnly



After these changes, the SameSite parameter isincluded.


set-cookie: ASP.NET_SessionId=2s2wesefh0cohv0ugctun4hl; path=/; secure;HttpOnly; SameSite=None



Note though that if the ASP.NET update hasn’tbeen installed on the web server, the unrecognized cookieSameSite attributewill result in an “Unrecognized attribute” configuration error at runtime.

These changes are not required if calling theSAML low-level API rather than the more commonly used SAML high-level API.


Please update if i am missing anything.
gopichinta
gopichinta
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Awaiting Activation
Posts: 3, Visits: 3
The same is coming to me also, We are using 2.6.0.16 Version. 

we are using the below namespaces 
using ComponentSpace.SAML2;
using ComponentSpace.SAML2.Assertions;
using ComponentSpace.SAML2.Protocols;
using ComponentSpace.SAML2.Profiles.SSOBrowser;
using ComponentSpace.SAML2.Configuration;

Is it belongs to LOW-LEVEL or HIGH-LEVEL api
Please confirm..
Thank You
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
We haven't been able to reproduce this issue.

This is standard Microsoft functionality that we're reliant on. It's not code that we've written.

Have you tried this on different web servers or in your development environment?

If you remove <httpCookies requireSSL="true"/> from web.config, does this result in the Secure flag not being set?

I just want to see if either of the web.config changes are in effect.




Regards
ComponentSpace Development
gopichinta
gopichinta
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Awaiting Activation
Posts: 3, Visits: 3
Hi 

we are using the below namespaces 

using ComponentSpace.SAML2;
using ComponentSpace.SAML2.Assertions;
using ComponentSpace.SAML2.Protocols;
using ComponentSpace.SAML2.Profiles.SSOBrowser;
using ComponentSpace.SAML2.Configuration;

Is it belongs to LOW-LEVEL or HIGH-LEVEL api
OR
any measure to find out for the LOW-HIGH level

Please confirm..
Thank You

Mohit Sharma
Mohit Sharma
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Awaiting Activation
Posts: 2, Visits: 10
ComponentSpace - 1/31/2020
We haven't been able to reproduce this issue.

This is standard Microsoft functionality that we're reliant on. It's not code that we've written.

Have you tried this on different web servers or in your development environment?

If you remove <httpCookies requireSSL="true"/> from web.config, does this result in the Secure flag not being set?

I just want to see if either of the web.config changes are in effect.



ComponentSpace - 1/31/2020
We haven't been able to reproduce this issue.

This is standard Microsoft functionality that we're reliant on. It's not code that we've written.

Have you tried this on different web servers or in your development environment?

If you remove <httpCookies requireSSL="true"/> from web.config, does this result in the Secure flag not being set?

I just want to see if either of the web.config changes are in effect.



Yes web.config changes are in effect, as on removing <httpCookies requireSSL="true"/> from web.config, the secure flag is removed.


ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
gopichinta - 1/31/2020
Hi 

we are using the below namespaces 

using ComponentSpace.SAML2;
using ComponentSpace.SAML2.Assertions;
using ComponentSpace.SAML2.Protocols;
using ComponentSpace.SAML2.Profiles.SSOBrowser;
using ComponentSpace.SAML2.Configuration;

Is it belongs to LOW-LEVEL or HIGH-LEVEL api
OR
any measure to find out for the LOW-HIGH level

Please confirm..
Thank You

The SAML high-level API consists of the SAMLIdentityProvider and SAMLServiceProvider classes in the ComponentSpace.SAML2 namespace. Other classes, including those in the ComponentSpace.SAML2.Assertions and ComponentSpace.SAML2.Protocols namespaces are part of the SAML low-level API.

The SAML low-level API doesn't use a cookie.

Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
[email protected] - 1/31/2020
ComponentSpace - 1/31/2020
We haven't been able to reproduce this issue.

This is standard Microsoft functionality that we're reliant on. It's not code that we've written.

Have you tried this on different web servers or in your development environment?

If you remove <httpCookies requireSSL="true"/> from web.config, does this result in the Secure flag not being set?

I just want to see if either of the web.config changes are in effect.



ComponentSpace - 1/31/2020
We haven't been able to reproduce this issue.

This is standard Microsoft functionality that we're reliant on. It's not code that we've written.

Have you tried this on different web servers or in your development environment?

If you remove <httpCookies requireSSL="true"/> from web.config, does this result in the Secure flag not being set?

I just want to see if either of the web.config changes are in effect.



Yes web.config changes are in effect, as on removing <httpCookies requireSSL="true"/> from web.config, the secure flag is removed.


Thanks for the confirmation.

In our test environment all we had to do to get this to work was to install the .NET Framework v4.8 on the web server.

Prior to installing v4.8, the unrecognized cookieSameSite attribute resulted in an “Unrecognized attribute” configuration error at runtime.

You're not receiving an error but it sounds like the cookieSameSite attribute is being ignored.

I've included links to the Microsoft documentation below.

https://docs.microsoft.com/en-us/dotnet/api/system.web.configuration.sessionstatesection?view=netframework-4.8

https://docs.microsoft.com/en-us/dotnet/api/system.web.samesitemode?view=netframework-4.8

The second link includes the following comments:

"The behavior of None was modified by updates described in KB article 4531182 and KB article 4524421.

Without these updates, the None value does not emit the SameSite cookie header. This conforms to https://tools.ietf.org/html/draft-west-first-party-cookies-07#section-4.1."

Please ensure your server is up to date and specifically the relevant KB updates are installed.

Regards
ComponentSpace Development
kevposton
kevposton
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 5, Visits: 31
ComponentSpace - 1/31/2020
gopichinta - 1/31/2020
Hi 

we are using the below namespaces 

using ComponentSpace.SAML2;
using ComponentSpace.SAML2.Assertions;
using ComponentSpace.SAML2.Protocols;
using ComponentSpace.SAML2.Profiles.SSOBrowser;
using ComponentSpace.SAML2.Configuration;

Is it belongs to LOW-LEVEL or HIGH-LEVEL api
OR
any measure to find out for the LOW-HIGH level

Please confirm..
Thank You

The SAML high-level API consists of the SAMLIdentityProvider and SAMLServiceProvider classes in the ComponentSpace.SAML2 namespace. Other classes, including those in the ComponentSpace.SAML2.Assertions and ComponentSpace.SAML2.Protocols namespaces are part of the SAML low-level API.

The SAML low-level API doesn't use a cookie.

Is there a way to know what namespaces are high-level vs low-level?

We are using ComponentSpace.SAML2.Data, ComponentSpace.SAML2.Configuration and ComponentSpace.SAML2.Protocols.Certificates.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
The SAML high-level API consists of the SAMLIdentityProvider and SAMLServiceProvider classes in the ComponentSpace.SAML2 namespace. Other classes, including those in the ComponentSpace.SAML2.Assertions and ComponentSpace.SAML2.Protocols namespaces are part of the SAML low-level API.

Regards
ComponentSpace Development
gopichinta
gopichinta
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Awaiting Activation
Posts: 3, Visits: 3
We are installed .NET Frame Work 4.8 in the System
Using Chrome Version 80.0.3987.85 (Official Build) beta (64-bit)
Using ComponentSpace.SAML2.dll Version 2.6.0.16

And We are using .NET Frame Work 4.5 for Application
And in Application Web.config we changed the below

<sessionState cookieSameSite="None" mode="InProc" customProvider="DefaultSessionProvider">
  <providers>
   <add name="DefaultSessionProvider" type="System.Web.Providers.DefaultSessionStateProvider, System.Web.Providers, Version=2.0.0.0, Culture=neutral, PublicKeyToken=31bf3856ad364e35" connectionStringName="DefaultConnection" />
  </providers>
  </sessionState>
<httpCookies requireSSL="true" />

But "SameSite"is showing empty....



any suggesstion please.
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search