Support for Same-site cookie attribute

Description

With chrome version 80 cookies policies are more strict. before version 80 'SameSite=None' was the default, after 80 'SameSite=Strict' is default, causing setting cookies to fail after a redirect. (See https://blog.chromium.org/2019/10/developers-get-ready-for-new.html)

when a callback from an openid connect provider is done on /auth/rest/login/<providername> , a cookie is created by the AuthenticationTokenCookieInterceptor. This cookie is not marked with SameSite=None, so the cookie is not set as the url in the browser still shows the openidconnect website.

Caution: if you set SameSite=None then certain old browser versions (safari) will not work

https://www.chromestatus.com/feature/5088147346030592:
*****NOTE: There is currently a bug affecting Mac OSX and iOS which causes SameSite=None cookies to be inadvertently treated as SameSite=Strict and therefore not sent with cross-site requests. (See https://bugs.webkit.org/show_bug.cgi?id=198181) Until this is fixed, SameSite=None may not work properly on Safari.*****

Fixed

Assignee

Unassigned

Reporter

Kees van Ginkel

Labels

None

Fix versions

Priority

Major
Configure