Workaround of SameSite default change for Shibboleth SP _shibstate_ ?
Takeshi NISHIMURA
takeshi at nii.ac.jp
Fri Jan 31 05:16:50 EST 2020
Hi all,
I found it is difficult to conditionally add SameSite=None to _shibstate_ cookie.
We use Shibboleth SP and Apache httpd on CentOS 7.
By the following configuration I succeeded in adding SameSite flag to e.g. JSESSIONID, but it resulted in no effect for Shibboleth SP's cookies.
> Header edit Set-Cookie ^(.*)$ $1;SameSite=None
I know we can add SameSite by cookieProps but I want to do conditionally, due to old Safari.
Does anyone suffer from the same problem?
BTW,
the following sentences mean "Cross-Domain" rather than cross-site. I've misunderstood that.
> 3. Let “target” be the *registrable domain* of “request”'s current url.
> 4. If “site” is an exact *match* for “target”, return “same-site”.
> 5. Return “cross-site”.
Thanks in advance,
Takeshi
More information about the users
mailing list