Hello everyone. It seems on February 4th Chrome 80 will be rolling out with a change in behavior around the cookie attribute SameSite.
More information can be found here from the ComponentSpace team here: https://www.componentspace.com/Forums/10491/SAML-Cookie-SameSite-Mode-None
The fix provided from the component space team was to update existing applications SDK to >=2.1.14
We've applied that change by migrating to Nop4.1 which has the 2.1 sdk and we're specifying that we use 2.1.803 when building, however we're finding that we're still affected by the cookie problem.
Some of our saml cookies with no same site attribute aren't defaulting to SameSite=None; & Secure;
We're thinking NopCommerce might be giving us mixed results around this because a normally generated SSO project on that SDK gives us our desired behavior. Has anyone found a solution for ensuring SameSite=None in the absence of that attribute?
Chrome 80 and SSO
认证开发者
- 2
- 10
- 2020/2/3
- India
We were facing the same issue and upgrading the sdk to 2.2.110 (v4.2 nopcommerce) did not help either. So we manually went and added the samesite=none to all the cookies and things started working for us.
Our Solution:
Go to the file Nop.Web.Framework.Infrastructure.Extensions.ServiceCollectionExtensions.cs and add
samesite = none to the list of options for all the cookies. You will have to update it at multiple places.
Also add the same option in file Nop.Web.Framework.WebWorkContext.cs at Method -> SetCustomerCookie().
Rebuild and retry!
Hope this helps.
Our Solution:
Go to the file Nop.Web.Framework.Infrastructure.Extensions.ServiceCollectionExtensions.cs and add
samesite = none to the list of options for all the cookies. You will have to update it at multiple places.
Also add the same option in file Nop.Web.Framework.WebWorkContext.cs at Method -> SetCustomerCookie().
Rebuild and retry!
Hope this helps.
- 23
- 195
- 2013/4/18
- Sweden
We just encountered this problem with an SAP Ariba integration.
We are running version 4.00
SAP Ariba insists on having the site in an iframe hosted on their side, not good security wise.
BUT, I've tried adding the code for samesitemode.none and secure, but when I inspect the headers it's still samesite.lax, how can this even be possible?
//set new cookie value
var options = new Microsoft.AspNetCore.Http.CookieOptions
{
HttpOnly = true,
Secure = true,
SameSite = SameSiteMode.None
};
Any suggestions?
Best regards,
Peter Larsson
We are running version 4.00
SAP Ariba insists on having the site in an iframe hosted on their side, not good security wise.
BUT, I've tried adding the code for samesitemode.none and secure, but when I inspect the headers it's still samesite.lax, how can this even be possible?
//set new cookie value
var options = new Microsoft.AspNetCore.Http.CookieOptions
{
HttpOnly = true,
Secure = true,
SameSite = SameSiteMode.None
};
Any suggestions?
Best regards,
Peter Larsson