- From: Reed Loden <reed@reedloden.com>
- Date: Fri, 17 Jun 2016 14:57:02 +0200
- To: security-dev@chromium.org, WebAppSec WG <public-webappsec@w3.org>
Received on Friday, 17 June 2016 12:57:52 UTC
Greetings, I recently added SameSite=Strict to a site's session cookies, but it was discovered that this breaks SAML authentication (via HTTP POST), as the user's session cookie isn't sent back to the site as part of the SAML authentication response, causing a new session cookie to be generated, which means the user never logged-in. This was mentioned in a recent HN thread as well -- https://news.ycombinator.com/item?id=11787558. For sites that implement SameSite cookies and also allow for authentication via SAML, are there any recommendations on what can be done? SAML also supports HTTP Redirect (GET), but that runs into CSP issues with `frame-src`/`child-src`. One thing that may be possible would be to regenerate the cookie solely based on what the SAML response has in it, but that's not optimal, as you lose any type of state from the previous session (such as a redirect URL to use once the user is logged-in). Any thoughts people might have on finding a way to support SAML authentication with SameSite cookies are welcome! :-) ~reed
Received on Friday, 17 June 2016 12:57:52 UTC