ComponentSpace

Forums



Chrome SameSite Cookie Change


Chrome SameSite Cookie Change

Author
Message
jsmith
jsmith
New Member
New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)

Group: Forum Members
Posts: 17, Visits: 77
It was brought to my notice that Google will be releasing a new version soon which changes how the cookies manage the SameSite parameter. 
To resolve the issue I read a post provided in this link: https://www.componentspace.com/Forums/10511/SAML-Cookie-SameSite-Mode-None
and I followed all the instructions given there for my version of ComponentSpace Library which is 2.8.8 in my case. The server we are using is: Windows Server 2008 R2 Datacenter.
  1. Installed latest .NET framework on web server 4.8.
  2. added attribute "cookieSameSite=none" to <sessionState > in web.config.
  3. added <httpCookies requireSSL="true"/> line as well in web.config.

But I do not see the changes reflected on the browser. Am I doing something wrong or am I missing something? Or am I looking for the change in a wrong place??
I am attaching all the related images here for your reference.
Please guide me to solve this issue asap.

web.config changes:



.NET framework version installed on server:


ComponentSpace library version:
https://www.componentspace.com/Forums/Uploads/Images/94c3a024-6d15-4319-9b8d-926e.png


But, Cookies do not reflect the SameSite changes:



Thanks
Attachments
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
That should be all you need to do.

Here's an example web.config. I changed the cookie name from its default of ASP.NET_SessionId to make it clearer but this isn't necessary.


<system.web>
    <sessionState cookieName="My.ASP.NET_SessionId" cookieSameSite="None" />
    <httpCookies requireSSL="true"/>
</system.web>



Using the Chrome browser developer tools, I see the following. The session cookie has the Secure and SameSite=None attributes.



The raw header is:


set-cookie: My.ASP.NET_SessionId=jl0xj4ihhicmxjpwk2sx4tvm; path=/; secure; HttpOnly; SameSite=None



Please double check that the ASP.NET_SessionId cookie is that for your application, just in case both the IdP and SP applications are running under ASP.NET.

Regards
ComponentSpace Development
jsmith
jsmith
New Member
New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)New Member (22 reputation)

Group: Forum Members
Posts: 17, Visits: 77
ComponentSpace - 1/14/2020
That should be all you need to do.

Here's an example web.config. I changed the cookie name from its default of ASP.NET_SessionId to make it clearer but this isn't necessary.


<system.web>
    <sessionState cookieName="My.ASP.NET_SessionId" cookieSameSite="None" />
    <httpCookies requireSSL="true"/>
</system.web>



Using the Chrome browser developer tools, I see the following. The session cookie has the Secure and SameSite=None attributes.



The raw header is:


set-cookie: My.ASP.NET_SessionId=jl0xj4ihhicmxjpwk2sx4tvm; path=/; secure; HttpOnly; SameSite=None



Please double check that the ASP.NET_SessionId cookie is that for your application, just in case both the IdP and SP applications are running under ASP.NET.

I did check it multiple times and also have provided you with the screenshot (check attached files for enlarged images) in my opening post. I do see that "secure" attribute is added to the cookies but "SameSite=none" isn't. And yes it is for my application because it is being created by my Default.aspx page of my application. I am looking for this cookie on the same page where "InitiateSSO" method is called, I hope this is the correct page to see the cookies. Or should I be seeing it on AssertionConsumer page where SAML request from IdP is posted?
My web server is Windows 2008 R2, does it matter what web server I am using even though I have .NET 4.8 already installed on it?
If this solution does not work, could you please suggest another work-around?


Thanks
ComponentSpace
ComponentSpace
ComponentSpace Development
ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)ComponentSpace Development (4.4K reputation)

Group: Administrators
Posts: 3.2K, Visits: 11K
Where you see the cookie set depends on the SSO flow.

Please check the entire network trace of the SAML SSO. It could very well be on the assertion consumer page.

As far as we're aware this will work on Windows 2008 R2. However, we've only tested on later Windows server releases.

The alternative is to upgrade to the latest release (v4.0.0) which has inbuilt SameSite support and uses a custom cookie rather than the ASP.NET_SessionId cookie. If you wished to upgrade, please contact [email protected].

Regards
ComponentSpace Development
GO


Similar Topics


Execution: 0.000. 2 queries. Compression Enabled.
Login
Existing Account
Email Address:


Password:


Select a Forum....












Forums, Documentation & Knowledge Base - ComponentSpace


Search