I'm currently using version 2.8.8.0 (with .NET 4.7.2), and acting as a Service Provider. Due to security constraints we set the following a few months ago: <sessionState cookieSameSite="Lax" /> <httpCookies requireSSL="true"/>
I was concerned that the 2-minute window for "Lax+POST" was the only reason that our login flow was working correctly but I have tested with Chrome Canary 82.0.4047.0 with the additional flag: --enable-features=SameSiteDefaultChecksMethodRigorously so that would be disabled, and it still works. Viewing the network I can see the SameSite parameter being set as Lax (request method is POST): set-cookie: ASP.NET_SessionId=0syfbwutmk4twbjscfrpg5pu; path=/; secure; HttpOnly; SameSite=Lax
I had read in this post the following: If the SAML session cookie is marked as SameSite=Strict, the browser won't include it with the SAML response as the sites are different. If the SAML session cookie is marked as SameSite=Lax, the browser still won't include it as this isn't considered a top-level navigation action. Specifically, the SameSite specification doesn't consider Post to be a safe HTTP method.
Is there something else that I need to test against? I would prefer to not set SameSite to None, and would rather use Lax if possible. It appears that it's working properly, but just wanted to see what I may be doing wrong or if there is something I am not considering. Thanks in advance.
|