Looping issue where no cookies are being sent in the response (Azure ad, shibboleth sp)

Cantor, Scott cantor.2 at osu.edu
Mon Aug 1 16:08:32 UTC 2022

On 8/1/22, 12:00 PM, "users on behalf of Christopher Bongaarts via users" <users-bounces at shibboleth.net on behalf of users at shibboleth.net> wrote:

>    We recently fixed an SP that was having looping problems because we
> were  setting SameSite=None but had neglected to add "secure" as a
> cookieProps (if you omit the "secure" then Chrome ignores the cookie 
>setting  altogether).

That's why you don't need to (or want to) set it that way, there are other settings for SameSite independently of that.

There's a mention of doing this wrongly in one of the wiki pages which I will fix.

Generally, you don't need to do anything about SameSite, it's automatic. The exceptions are the Mac bug case, which is probably less relevant these days, and the session cookie, which has a separate setting but is generally ill-advised to change (you're opening it up to what SameSite is meant to stop, XSRF).

Looping because of SameSite at the SP is generally a sign of an application mis-behavior.

-- Scott

More information about the users mailing list