Re: SameSite cookies and SAML from Brad Hill on 2016-06-19 (public-webappsec@w3.org from June 2016)

From: Brad Hill <hillbrad@gmail.com>
Date: Sun, 19 Jun 2016 04:01:45 +0000
To: Reed Loden <reed@reedloden.com>, security-dev@chromium.org, WebAppSec WG <public-webappsec@w3.org>
Message-ID: <CAEeYn8gJF3VxiOYnJ0H17P98_-5P=3AOjkEftCTAkkXAia4YqQ@mail.gmail.com>

These two things have explicitly opposite design goals.  SAML
authentication endpoints expect requests originating from off-site. That's
how the protocol works.  That it is possible to make HTTP requests between
applications in a fully interoperable way is a great and valuable thing
about the web platform.  It's what makes the web a web.

SameSite cookies are not everywhere and always a good thing.  Very few web
applications of any reasonable complexity will be able to move to using
SameSite cookies exclusively. They are a good thing for endpoints that
shouldn't be invoked from off-site; a property that was previously
difficult to enforce on the web platform when you did want it.

So you shouldn't expect to be able to use SAML in this way with a SameSite
cookie.   What you can do is represent sessions using two cookies: one
SameSite and one not.  Check the SameSite cookie only for actions that
should never be called from off-site.

On Fri, Jun 17, 2016 at 6:00 AM Reed Loden <reed@reedloden.com> wrote:

> Greetings,
>
> I recently added SameSite=Strict to a site's session cookies, but it was
> discovered that this breaks SAML authentication (via HTTP POST), as the
> user's session cookie isn't sent back to the site as part of the SAML
> authentication response, causing a new session cookie to be generated,
> which means the user never logged-in. This was mentioned in a recent HN
> thread as well -- https://news.ycombinator.com/item?id=11787558.
>
> For sites that implement SameSite cookies and also allow for
> authentication via SAML, are there any recommendations on what can be done?
> SAML also supports HTTP Redirect (GET), but that runs into CSP issues with
> `frame-src`/`child-src`.
>
> One thing that may be possible would be to regenerate the cookie solely
> based on what the SAML response has in it, but that's not optimal, as you
> lose any type of state from the previous session (such as a redirect URL to
> use once the user is logged-in).
>
> Any thoughts people might have on finding a way to support SAML
> authentication with SameSite cookies are welcome! :-)
>
> ~reed
>

Received on Sunday, 19 June 2016 04:02:23 UTC