JSESSIONID issues, Stale Session. (SameSite issue?)

[Duncan Brannen]

Thanks Scott,
	I'd thought we were unaffected as it worked over 90% of the time but I guess this bit from chrome's  SameSite page explains that and we were just lucky.

"Chrome will make an exception for cookies set without a SameSite attribute less than 2 minutes ago."  My successful sessions all had redirects from login.microsoft within that 2 min window.

I'll go look at breaking old Safari and (ios <= 12 )webkit browsers. 

Does anyone know under what circumstances the jsessionID value is replaced?
While it seems to stay constant, sometimes the client sends a value and is sent back a new one (which works and continues to work for 2 mins, which stops things breaking as much as it would otherwise.)

Cheers,
	Duncan


-----Original Message-----
From: users <users-bounces at shibboleth.net> On Behalf Of Cantor, Scott
Sent: 20 January 2022 16:50
To: Shib Users <users at shibboleth.net>
Subject: Re: JSESSIONID issues, Stale Session. (SameSite issue?)

The SameSite page contains this text that needs to be more prominent:

"It is also likely that SAML proxying will be affected by this issue, because the POST back to the IdP from the proxied IdP will omit the necessary cookies to resume the flow, resulting in the "stale request" message."

It's not "likely", it's fact. The IdP will not function unless the original JSESSIONID is delivered back with the SAML POST intact.

-- Scott


-- 
For Consortium Member technical support, see https://eur01.safelinks.protection.outlook.com/?url=https%3A%2F%2Fshibboleth.atlassian.net%2Fwiki%2Fx%2FZYEpPw&data=04%7C01%7Cdbb%40st-andrews.ac.uk%7Cd09c37a068f942921cf408d9dc34e6cb%7Cf85626cb0da849d3aa5864ef678ef01a%7C0%7C0%7C637782942045724373%7CUnknown%7CTWFpbGZsb3d8eyJWIjoiMC4wLjAwMDAiLCJQIjoiV2luMzIiLCJBTiI6Ik1haWwiLCJXVCI6Mn0%3D%7C3000&sdata=eOYNTI0ZsMcKW%2BwcizuzfBWOp0mcYKtTpOBAIF0v1uk%3D&reserved=0
To unsubscribe from this list send an email to users-unsubscribe at shibboleth.net