Workaround of SameSite default change for Shibboleth SP _shibstate_ ?

Takeshi NISHIMURA takeshi at nii.ac.jp
Fri Jan 31 05:16:50 EST 2020


Hi all,

I found it is difficult to conditionally add SameSite=None to _shibstate_ cookie.

We use Shibboleth SP and Apache httpd on CentOS 7.
By the following configuration I succeeded in adding SameSite flag to e.g. JSESSIONID, but it resulted in no effect for Shibboleth SP's cookies.

> Header edit Set-Cookie ^(.*)$ $1;SameSite=None

I know we can add SameSite by cookieProps but I want to do conditionally, due to old Safari.

Does anyone suffer from the same problem?

BTW,
the following sentences mean "Cross-Domain" rather than cross-site. I've misunderstood that.

> 3. Let “target” be the *registrable domain* of “request”'s current url.
> 4. If “site” is an exact *match* for “target”, return “same-site”.
> 5. Return “cross-site”.

Thanks in advance,
Takeshi


More information about the users mailing list