0 Replies - 283 Views - Last Post: 29 January 2020 - 12:26 PM

#1 astonecipher   User is offline

  • Senior Systems Engineer
  • member icon

Reputation: 3071
  • View blog
  • Posts: 11,783
  • Joined: 03-December 12

SameSite Cookies

Posted 29 January 2020 - 12:26 PM

This ran across my desk this morning to investigate. Figured it may be something others need to look into as well.


Google Chrome 80: SameSite Cookie Guidance
First Released: 28 January 2020
Last Modified: 28 January 2020
Starting with Chrome 80 (Feb 2020), Google will enforce the new SameSite policy for browser cookies in order to improve privacy. Google announced this change in May 2019. Microsoft and Firefox have indicated intentions to follow suit, although exact timing is unknown. Unfortunately, one of the side effects of this change is that applications may no longer function properly, either in subtle or dramatic ways.
Deloitte’s understanding of this change is rapidly evolving, and this document may be amended to reflect new information.
Breaking Change
The below is a list of common scenarios that can be affected by this change:
• Integrations with Identity Providers using protocols such as OpenID Connect.
• Embedding web application content from a third-party domain.
Call to Action
Developers now need to set the new SameSite attribute in cookies per the below:
• A cookie with "SameSite=Strict" will only be sent with a same-site request.
• A cookie with "SameSite=Lax" will be sent with a same-site request, or a cross-site top-level navigation with a "safe" HTTP method.
• A cookie with "SameSite=None" will be sent with both same-site and cross-site requests; however, the cookie must also be marked as Secure. This must be used when working with Identity Providers.
• A cookie without a SameSite attribute will be treated as if it was set to Lax.
Developers who develop with .NET Framework 4.7.2+, or .NET Core 2.1+ can set the SameSite property using built-in language support as long as their development machine also has recently been patched. Developers who use Microsoft.Owin.Security.Cookies must use version 4.1.0 or newer.

Is This A Good Question/Topic? 0
  • +

Page 1 of 1