Workaround of SameSite default change for Shibboleth SP _shibstate_ ?
Cantor, Scott
cantor.2 at osu.edu
Fri Jan 31 10:56:11 EST 2020
On 1/31/20, 5:17 AM, "users on behalf of Takeshi NISHIMURA" <users-bounces at shibboleth.net on behalf of takeshi at nii.ac.jp> wrote:
> I found it is difficult to conditionally add SameSite=None to _shibstate_ cookie.
I imagine it's impossible, the module has to set its headers with an outbound filter trick to keep them from being messed with, and they probably go out after modules like mod_headers run.
The relay state one really isn't a high priority issue, it's the session cookie that creates the problems in real cross-site applications. Most clustering scenarios can probably rely on memory-based relay state, and if not, I'd just switch to by-value until a better fix emerges.
I will almost certainly be stuck implementing this idiotic dual cookie fix before Chrome drops the two minute grace window, which their last update is confirming they're going to do at some point.
-- Scott
More information about the users
mailing list