Announced Chrome SameSite cookie concerns?
40 views
Skip to first unread message
Josef Fortier
Feb 5, 2020, 5:50:43 PM2/5/20
to SimpleSAMLphp
There are numerous warnings floating around the internet about announced Chrome changes to automatically set cookies with SameSite=Strict starting later this month.
Here is the chromium FAQ
https://www.chromium.org/updates/same-site/faq
Here is the chromium FAQ
https://www.chromium.org/updates/same-site/faq
This Shibboleth page suggests that it may not be an issue,
Patrick Radtke
Feb 6, 2020, 6:58:05 PM2/6/20
to SimpleSAMLphp
Hi Josef,
SSP 1.17 and later have support for setting a SameSite value via config.php. As you are probably aware, not all browser can handle a value of "None" being sent.
You'll need to set SameSite based on user agent parsing. The GitHub issue has information on how to configure this parsing. I believe the technique in https://github.com/simplesamlphp/simplesamlphp/pull/1153#issuecomment-582333821 is the most comprehensive, and sets it for browsers that can support it. The technique in https://github.com/simplesamlphp/simplesamlphp/pull/1153#issuecomment-566381258 is more simplistic, and only sets the Cookie for chrome (which means at some point in the future when Edge and Firefox adopt similar behavior it will need to change).
- Patrick
Reply all
Reply to author
Forward
0 new messages