Release date for 3.1.0
Cantor, Scott
cantor.2 at osu.edu
Tue Mar 10 10:10:32 EDT 2020
> After the same site behaviour in chrome 80:
> 2. It bypasses the notify section and redirects directly back to the identity
> provider with a good logout status "...binding=redirect&SAMLResponse=..."
> (No cookies changed)
I would have to look at it. The code may be assuming it's operating administratively if it doesn't see the cookie, and that might be fixable, but since that wouldn't happen until 3.1 it's moot anyway.
> I assume that the fix in 3.1.0 would fix this if you're requiring the _shibsession
> cookie to send the user to the Notify location?
I'm not sure it should be requiring that or why it does, but no, the session cookie will not be marked SameSite=None by default because that defeats the purpose of the change the web is making. If you want to open the session back up to XSRF that has to be done explicitly, but it can be done if desired.
I probably would not advise anybody to do that for logout. Once the third party cookie hammer comes down for good, frames will be unusable and distributed logout will be officially over as a concept.
-- Scott
More information about the users
mailing list