Chrome 80 will be released next week which includes a browser default setting change. In Chrome 80 if cookies do not specify the SameSite attribute, the cookie will be treated as though the attribute was set to SameSite=lax (instead of unset).
When SameSite=lax is set on a cookie, that cookie will not be sent in a request if the domain of the request’s URL does not match the domain of the browser’s URL bar, the request is the result of the user clicking a link, or JavaScript triggering a window.location = to navigate to a new URL, or the request is initiated as a result of a 30x redirect (such as the multiple redirects during federated login).
I tested with both Firefox and Chrome (though with Chrome it didn’t show the cookies being treated as Lax as it did in Firefox dev tools) logging into OSC OnDemand which using OpenID Connect, and logging in via CILogon, and experienced no problems.
If you are using another federated authentication mechanism, such as CAS or Shibboleth, would you consider testing and verify there are no problems?
To test you can enable this setting in Chrome or Firefox.
Directions for enabling in Firefox:
- Enter about:config in the URL bar, Accept Risk and Continue
- Type samesite to filter options to display: network.cookie.sameSite.laxByDefault
- Set network.cookie.sameSite.laxByDefault to true
Directions for enabling in Chrome (available in Chrome 76+):
- Enter chrome://flags in URL bar
- Type SameSite
- Enable “SameSite by default cookies”
Related links:
- Chrome Platform Status
- Set-Cookie - HTTP | MDN
- SameSite cookie attribute · Issue #140 · apereo/mod_auth_cas · GitHub
- https://wiki.shibboleth.net/confluence/display/DEV/IdP+SameSite+Testing - in particular the conclusion:
the IdP should continue to function when its cookies are being defaulted to SameSite=Lax by browsers (currently tested on Chrome 78-81 and Firefox 72 with the same-site default flags set).
- Assess ramifications of SameSite change in Chrome · Issue #380 · OSC/ondemand · GitHub