New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Set the cookie "Secure" flag iff the ACS post back URL is HTTPS #1135
Conversation
@AndersAbel This is a proposal for #1091 (comment). I use the What do you think? |
This allows to comply with the new (Chrome >= 80) "Reject insecure SameSite=None cookies" rule (which otherwise would drop the correlation cookie).
44e6abc
to
947ed7e
Compare
@AndersAbel Could you take a look at this? Chrome 80 will be released in February .... |
@ulrichb I had a quick look and I think it looks good, but I need to look a bit more in detail on it before merging. Is this the only change needed for Chrome 80 to work? I assumed that a SameSite value must also be set (except for that old version of Safari that requires agent sniffing to detect)? |
I successfully tested the login procedure (against an ADFS Server) with Chrome 80 Dev Channel (+ enabled "SameSite by default cookies" and "Cookies without SameSite must be secure" in chrome://flags/).
For ASP.NET Core SameSite=None is already set. (See For For Owin, a library update to 4.1.0 seems to be necessary. See aspnet/AspNetKatana#201. (I only use the ASP.NET Core version.) |
I updated the description above to "Partially fixes #1091 (for the ASP.NET Core version)." |
@ulrichb What version of ASP.NET Core have you tested against? Also, won't this break local debugging without HTTPS? At least that's possible with the current implementation. Not sure if the change in Chrome 80 alone will already break that... |
ASP.NET Core 2.2. And oh, I forgot to mention that the explicit
That's the reason why I used |
@mklinke Do you need any further info? (February is coming ....) |
@ulrichb Not sure, what you're asking. I'm yet another user of the library as of now. My project is currently based on .NET Core 3.0 and I found the issue as a blocker when I tried upgrading to .NET Core 3.1 due to the SameSite breaking change there. |
Sorry, I meant @AndersAbel :) |
Thanks @AndersAbel ! |
Note: Need to apply the Secure flag for the redirect to Discovery Service too, I'll fix that when merging. |
Cool. Thx! |
I ended using cherry-pick to integrate this - first to the v1 branch and then to master. So I'm marking this PR as "closed" but it means "merged" |
@AndersAbel Many thanks! |
Partially fixes #1091 (for the ASP.NET Core version).
This allows to comply with the new (Chrome >= 80) "Reject insecure SameSite=None cookies" rule (which otherwise would drop the
SignInCommand
correlation cookie).Manually tested: