Bit of a SameSite update

Cantor, Scott cantor.2 at osu.edu
Fri Aug 14 21:11:00 UTC 2020


On 8/14/20, 4:13 PM, "users on behalf of Ryan Larscheidt" <users-bounces at shibboleth.net on behalf of larscheidt at wisc.edu> wrote:

>    This feels like Chrome's 2-minute "Lax + POST" window, let me know if there's more info I should provide.

That behavior doesn't fit our testing. Lack of SSO would apply if client storage weren't used.

And in fact, it doesn't make any sense. SSO "once" does not fit any known pattern that's been observed in any cases tested that I recall.

Either you got SSO or you didn't. If SameSite caused a problem, it got no cookies, it had to reload from local storage, and having done so, you get SSO. You either got SSO every time or never, based on whether local storage was used.

It doesn't make any sense that after waiting 2 minutes, it would work "once". If the cookie period had lapsed, then you'd get "some" behavior and that behavior would have to be consistent from that point on unless the timer were to be restarted (and that would make it work better, not worse).

So if anything, I could imagine "no SSO and then SSO", but the other way around doesn't fit the understanding of how this works.

-- Scott




More information about the users mailing list