Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Add options for Cookie SameSite attribute #206

Open
tsujiguchitky opened this issue Jan 22, 2020 · 0 comments
Open

Add options for Cookie SameSite attribute #206

tsujiguchitky opened this issue Jan 22, 2020 · 0 comments
Assignees
@tsujiguchitky

Comments

@tsujiguchitky
Copy link
Contributor

Description

Starting with Google Chrome 80, scheduled for release in February 2020, the behavior of cookies will change. With Chrome 80, Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies. Then, cookies are not set in POST requests from cross-domain.

Testing has shown that this change affects the following configurations and features:

  • CDSSO + Session Upgrade + XUI OFF
    • Additional authentication fails because iPlanetDirectoryPro does not pass to OpenAM.
  • SAML2 Authentication Module
    • Since AuthenticationStep does not pass to OpenAM, Internal Server Eerror occurs.
  • SAML2 SLO
    • Logout is not performed because iPlanetDirectoryPro does not pass to OpenAM.
  • SAML SP + SP-Init SSO + POST binding + amlbcookie as sticky session
    • amlbcookie is not passed, so a SAML response is passed to the server that did not issue the SAML request.

Solution

Add options to set SameSite=None to cookies that are affected when treated as Lax.

We are planning to add the following settings at this time.

  • Default value of SameSite attribute
  • SameSite setting list
    • Enable to specify each cookie in {Cookie Name}=(SameSite Value) format.

We should also consider processing for browsers that are not compatible with SameSite. In particular, macOS 10.14 and iOS 12 can be significantly affected.

References
@tsujiguchitky tsujiguchitky self-assigned this Jan 22, 2020
This was referenced Oct 14, 2020
Open
Merged
ogis-osada added a commit that referenced this issue Dec 17, 2020
@tsujiguchitky @ogis-osada
Issue #206 Add options for Cookie SameSite attribute (#207)
ab98407 
* Add options to server settings

* Add processing to set SameSite attribute on server side

* Add processing to set SameSite attribute on client side

* Add processing to ignore SameSite incompatible browsers

* Fix property read error

* Place the property file in WEB-INF/classes for editing

* Add unit test

* Target Chrome on macOS 10.14 for SameSite

* Use partial matche instead of exact matche

Co-authored-by: OGIS-ShionOsada <[email protected]>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees

@tsujiguchitky tsujiguchitky

Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
1 participant
@tsujiguchitky