Ability to define SameSite cookie attribute

By: Shaun Walker named 17 Aug 2020 at 12:02 a.m. CDT

2 Responses
Shaun Walker gravatar
Hi Team, We have run into an issue with Chrome. A cookie associated with a cross-site resource at https://gluu-dev.domain.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032. I can see that a few issues had been raised for https://github.com/GluuFederation/oxAuth/issues?q=samesite I am unsure if this has been corrected already (had to tell from oxauth config), or if this is not going to work until we have Gluu 4.3? Cheers, Shaun
Rhel 7.8
closed

Answers

By Mohib Zico staff 21 Aug 2020 at 11:20 a.m. CDT

Copy
Mohib Zico gravatar
Hello Shaun, We have not heard much complain about SameSite issue from our customers yet, so it's not affecting Gluu Server much I believe ( otherwise, we would be flooded by complaints from customer base ). Anyways, we helped one customer to check a quick workaround in apache config, you can also try [that](https://www.youtube.com/watch?v=d9l9UQaoAbo&feature=youtu.be). Above recorded screencast showing to apply configuration in apache in one test server and few tests as well.

By Shaun Walker named 25 Aug 2020 at 12:07 a.m. CDT

Copy
Shaun Walker gravatar
Thanks Mohib, I was able to get it working in our environment by using the following: ``` Header edit Set-Cookie ^((opbs|session_state|session_id).*)$ $1;HttpOnly;Secure;SameSite=None Header edit Set-Cookie ^((org.gluu.i18n.Locale|current_session|rp_session_id|JSESSIONID).*) $1;HttpOnly;Secure;SameSite=Lax ``` Thanks for your help :) Cheers, Shaun

Post an answer