ComponentSpace

Forums



SAML Cookie SameSite Mode None


SAML Cookie SameSite Mode None

Author
Message
CBRon
CBRon
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 7, Visits: 41
ComponentSpace - 1/13/2020
CBRon - 1/13/2020
My test server is Windows Server 2008 R2. It has the latest .Net Framework installed (4.8). We are using ComponentSpace 2.8.50. I added this line to web.config
<sessionState cookieSameSite="None" />

I already had this line
<httpCookies httpOnlyCookies="true" requireSSL="true"/>

Now I get the error
Parser Error Message: Unrecognized attribute 'cookieSameSite'. Note that attribute names are case-sensitive.
What is wrong?


Our testing was on Windows Server 2012. We haven't tested on 2008 but as far as I can tell as long as you have .NET framework v4.8 installed on the web server it should work.

Just to confirm, the <sessionState> element is in your <system.web> section? If you remove the cookieSameSite="None" do you still get a parser error?

Yes, the <sessionState> element is present. And I do not get the parser error if I remove the cookieSameSite="None" attribute. One other potential issue - this is a legacy app that is using the .Net framework 2.0 (actually 3.5). Could that be an issue? I also had another idea. What if I add the SameSite attribute to the Response cookie using an URL Rewrite outbound rule? Would that work?

csnyder
csnyder
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Awaiting Activation
Posts: 3, Visits: 12
I have an ASP.NET application targeting 4.5 using the SAML library v2.x so I followed the process of installing v4.8 Framework and changing the web.config, but so far I'm not seeing SameSite=none in the set cookie:

aspxauth=...  path=/; HttpOnly

Is there any trick to upgrading the ASP.NET app pool?  From what I'm reading it should take the updated framework.  I even verified the registry to make sure the correct .Net framework version is installed.
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
mov3 - 1/14/2020
Seems like instead of all of the browser sniffing Auth0 is just having two cookies - one without any samesite attributes on the cookie and one with SamlSite: None; Secure - why isn't componentspace doing this with their implementation to avoid all of the browser sniffing that is otherwise required? https://auth0.com/blog/browser-behavior-changes-what-developers-need-to-know/

We could do this with the custom SAML session cookie but I don't think this is possible with the ASP.NET session cookie.

The browser sniffing is an interim solution that hopefully won't be needed in the near future.

There is the option to customize the implementation of the cookie setting in the latest product releases if you would prefer the approach you suggested.

Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
CBRon - 1/14/2020
ComponentSpace - 1/13/2020
CBRon - 1/13/2020
My test server is Windows Server 2008 R2. It has the latest .Net Framework installed (4.8). We are using ComponentSpace 2.8.50. I added this line to web.config
<sessionState cookieSameSite="None" />

I already had this line
<httpCookies httpOnlyCookies="true" requireSSL="true"/>

Now I get the error
Parser Error Message: Unrecognized attribute 'cookieSameSite'. Note that attribute names are case-sensitive.
What is wrong?


Our testing was on Windows Server 2012. We haven't tested on 2008 but as far as I can tell as long as you have .NET framework v4.8 installed on the web server it should work.

Just to confirm, the <sessionState> element is in your <system.web> section? If you remove the cookieSameSite="None" do you still get a parser error?

Yes, the <sessionState> element is present. And I do not get the parser error if I remove the cookieSameSite="None" attribute. One other potential issue - this is a legacy app that is using the .Net framework 2.0 (actually 3.5). Could that be an issue? I also had another idea. What if I add the SameSite attribute to the Response cookie using an URL Rewrite outbound rule? Would that work?

I haven't tried it but it's worth taking a look if you like. As long as you see the Secure and SameSite=None in the set-cookie header, that's all that's required.

Just to confirm, you have .NET framework v4.8 installed on the web server?

Regards
ComponentSpace Development
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
csnyder - 1/14/2020
I have an ASP.NET application targeting 4.5 using the SAML library v2.x so I followed the process of installing v4.8 Framework and changing the web.config, but so far I'm not seeing SameSite=none in the set cookie:

aspxauth=...  path=/; HttpOnly

Is there any trick to upgrading the ASP.NET app pool?  From what I'm reading it should take the updated framework.  I even verified the registry to make sure the correct .Net framework version is installed.

The aspxauth cookie is the authorization cookie rather than the session cookie.

You should be looking for a cookie whose name is ASP.NET_SessionId, unless you've changed the default name for this cookie.

The following post shows where I changed the cookie name to My.ASP.NET_SessionId just to make this clearer. However, using the default name of ASP.NET_SessionId is perfectly fine.

https://www.componentspace.com/Forums/10552/Chrome-SameSite-Cookie-Change




Regards
ComponentSpace Development
Karlo Abela
Karlo Abela
New Member
New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)New Member (8 reputation)

Group: Forum Members
Posts: 5, Visits: 26
csnyder - 1/14/2020
I have an ASP.NET application targeting 4.5 using the SAML library v2.x so I followed the process of installing v4.8 Framework and changing the web.config, but so far I'm not seeing SameSite=none in the set cookie:

aspxauth=...  path=/; HttpOnly

Is there any trick to upgrading the ASP.NET app pool?  From what I'm reading it should take the updated framework.  I even verified the registry to make sure the correct .Net framework version is installed.

We also encountering this issue. Our web project is 4.5.1 and were using SAMLv 2.6. We updated the web.config and installed .NET Framework 4.8 runtime in the web server.

Were getting this result:

refCode=0; path=/; secure; HttpOnly

Cheers,
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Just to confirm, this is the ASP.NET_SessionId cookie?

Could you include the full set-cookie header?

Regards
ComponentSpace Development
CBRon
CBRon
New Member
New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)New Member (7 reputation)

Group: Forum Members
Posts: 7, Visits: 41
ComponentSpace - 1/14/2020
CBRon - 1/14/2020
ComponentSpace - 1/13/2020
CBRon - 1/13/2020
My test server is Windows Server 2008 R2. It has the latest .Net Framework installed (4.8). We are using ComponentSpace 2.8.50. I added this line to web.config
<sessionState cookieSameSite="None" />

I already had this line
<httpCookies httpOnlyCookies="true" requireSSL="true"/>

Now I get the error
Parser Error Message: Unrecognized attribute 'cookieSameSite'. Note that attribute names are case-sensitive.
What is wrong?


Our testing was on Windows Server 2012. We haven't tested on 2008 but as far as I can tell as long as you have .NET framework v4.8 installed on the web server it should work.

Just to confirm, the <sessionState> element is in your <system.web> section? If you remove the cookieSameSite="None" do you still get a parser error?

Yes, the <sessionState> element is present. And I do not get the parser error if I remove the cookieSameSite="None" attribute. One other potential issue - this is a legacy app that is using the .Net framework 2.0 (actually 3.5). Could that be an issue? I also had another idea. What if I add the SameSite attribute to the Response cookie using an URL Rewrite outbound rule? Would that work?

I haven't tried it but it's worth taking a look if you like. As long as you see the Secure and SameSite=None in the set-cookie header, that's all that's required.

Just to confirm, you have .NET framework v4.8 installed on the web server?

Yes, I have .NET Framework 4.8 installed on the server.

csnyder
csnyder
New Member
New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)New Member (3 reputation)

Group: Awaiting Activation
Posts: 3, Visits: 12
ComponentSpace - 1/14/2020
Just to confirm, this is the ASP.NET_SessionId cookie?

Could you include the full set-cookie header?

The set cookie header on our server is returning:
Server: Microsoft-IIS/8.5
Set-Cookie: .ASPXAUTH=130960F2BE1F38E1E090B5E8BBC91A7EA504A591A8386023108C02D7D51508376319FB993A3C0B4F9495E75E2A7BDE312747813D5519E3BA71D6677751E6A015692442F5DC7EA22513556232EB4F380FA9C3F6036E6B3A36F64DF7D9C325E99D20ADC37630E284A68840F4ED6774; path=/; HttpOnly
  1. X-AspNet-Version: 4.0.30319
  2. X-AspNetMvc-Version: 5.2
  3. X-Powered-By: ASP.NET



ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
CBRon - 1/15/2020
ComponentSpace - 1/14/2020
CBRon - 1/14/2020
ComponentSpace - 1/13/2020
CBRon - 1/13/2020
My test server is Windows Server 2008 R2. It has the latest .Net Framework installed (4.8). We are using ComponentSpace 2.8.50. I added this line to web.config
<sessionState cookieSameSite="None" />

I already had this line
<httpCookies httpOnlyCookies="true" requireSSL="true"/>

Now I get the error
Parser Error Message: Unrecognized attribute 'cookieSameSite'. Note that attribute names are case-sensitive.
What is wrong?


Our testing was on Windows Server 2012. We haven't tested on 2008 but as far as I can tell as long as you have .NET framework v4.8 installed on the web server it should work.

Just to confirm, the <sessionState> element is in your <system.web> section? If you remove the cookieSameSite="None" do you still get a parser error?

Yes, the <sessionState> element is present. And I do not get the parser error if I remove the cookieSameSite="None" attribute. One other potential issue - this is a legacy app that is using the .Net framework 2.0 (actually 3.5). Could that be an issue? I also had another idea. What if I add the SameSite attribute to the Response cookie using an URL Rewrite outbound rule? Would that work?

I haven't tried it but it's worth taking a look if you like. As long as you see the Secure and SameSite=None in the set-cookie header, that's all that's required.

Just to confirm, you have .NET framework v4.8 installed on the web server?

Yes, I have .NET Framework 4.8 installed on the server.

It might be related to the .NET framework v2.0. Our testing has been on the .NET framework v4.0 and above. You might have to contact Microsoft support for confirmation.

The other consideration is that not all SAML flows require the use of SAML state to work.

For example, if you're the SP and supporting IdP-initiated SSO flow, no SAML state is required. Therefore no changes would be required to support the Chrome updates.

Are you acting as the SP or IdP and are you supporting IdP-initiated or SP-initiated SSO? Are you supporting SAML logout?

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search