Bit of a SameSite update

Ryan Larscheidt larscheidt at wisc.edu
Fri Aug 14 16:19:17 UTC 2020 

Hi Scott,

This update is timely!  Yesterday I and others observed IdP session loss during cross-domain (non-wisc.edu) SSO HTTP-POST requests to our IdP, despite having htmlLocalStorage enabled and using ClientSessionStorageService.

I just want to verify that the "do nothing" option is still viable, perhaps I missed a setting?

For now I'm adding "; SameSite=None" to non-SameSite-annotated cookies when the user agent is Chrome / Chromium 80+ and Firefox 79+, which seems to have stemmed the bleeding.

Thanks!
Ryan

________________________________
From: users <users-bounces at shibboleth.net> on behalf of Cantor, Scott <cantor.2 at osu.edu>
Sent: Thursday, August 13, 2020 14:39
To: Shib Users <users at shibboleth.net>
Subject: Re: Bit of a SameSite update

And...Firefox.

https://hacks.mozilla.org/2020/08/changes-to-samesite-cookie-behavior/

Will update the page with that.

-- Scott

On 8/13/20, 3:35 PM, "users on behalf of Cantor, Scott" <users-bounces at shibboleth.net on behalf of cantor.2 at osu.edu> wrote:

    I've been adjusting the page intro [1] a bit to reflect the fact that Chrome's breaking change has been rolling out for the last month, and will also be breaking Edge shortly.

    I also finally hit an SP behaving so pathologically broken with frames and POST such that third-party cookies alone weren't enough and the SameSite change broke the IdP.

    So it's starting to get real, just thought I'd note it.

    -- Scott

    [1] https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/display/IDP4/SameSite__;!!KGKeukY!n9UZ6SSSEj89s2VtXKSEWOZ1MFTWDXlKwJtcLpFGt5Ps1CCywxXb2m9CX9zIy8g$

    --
    For Consortium Member technical support, see https://urldefense.com/v3/__https://wiki.shibboleth.net/confluence/x/coFAAg__;!!KGKeukY!n9UZ6SSSEj89s2VtXKSEWOZ1MFTWDXlKwJtcLpFGt5Ps1CCywxXb2m9C5Ww0mnw$
    To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net

--
For Consortium Member technical support, see https://wiki.shibboleth.net/confluence/x/coFAAg
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://shibboleth.net/pipermail/users/attachments/20200814/0d57cdd5/attachment.htm>

More information about the users mailing list