W3C home > Mailing lists > Public > public-webappsec@w3.org > June 2016

SameSite cookies and SAML

From: Reed Loden <reed@reedloden.com>
Date: Fri, 17 Jun 2016 14:57:02 +0200
Message-ID: <CALPTtNUjV4niUQa=MUUSj-fvbvvNG++7MNGrVEEHzmHU8et2Aw@mail.gmail.com>
To: security-dev@chromium.org, WebAppSec WG <public-webappsec@w3.org>
Greetings,

I recently added SameSite=Strict to a site's session cookies, but it was
discovered that this breaks SAML authentication (via HTTP POST), as the
user's session cookie isn't sent back to the site as part of the SAML
authentication response, causing a new session cookie to be generated,
which means the user never logged-in. This was mentioned in a recent HN
thread as well -- https://news.ycombinator.com/item?id=11787558.

For sites that implement SameSite cookies and also allow for authentication
via SAML, are there any recommendations on what can be done? SAML also
supports HTTP Redirect (GET), but that runs into CSP issues with
`frame-src`/`child-src`.

One thing that may be possible would be to regenerate the cookie solely
based on what the SAML response has in it, but that's not optimal, as you
lose any type of state from the previous session (such as a redirect URL to
use once the user is logged-in).

Any thoughts people might have on finding a way to support SAML
authentication with SameSite cookies are welcome! :-)

~reed
Received on Friday, 17 June 2016 12:57:52 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:20 UTC