samesite

问题 With the recent changes it seems that SameSite cookie attributes are throwing a wrench into my website now. A cross-browser iframe that was working before on my site is now broken - even with the SameSite=None; Secure being passed through the iFrame in the response header. I've seen very different reports from people saying Windows 7 doesn't support SameSite=none. Others saying the Secure is breaking or not breaking it. But even the current Microsoft documentation doesn't lay out exactly how

问题 On February 4th 2020, Google Chrome will require SameSite=None; to be added to all cross-site cookies. Rails 6.1 and soon Rails 6.0 have added a same_site: :none option to the rails cookie hash: cookies["foo"]= { value: "bar", expires: 1.year.from_now, same_site: :none } But older Rails 5.x apps won't receive the upgrade to have access to the same_site options hash. I know the SameSite=None; cookie option can be manually added to Rails in a controller using: response.headers["Set-Cookie"] =

问题 I suppose this should work: from selenium import webdriver options = webdriver.ChromeOptions() options.add_experimental_option('same-site-by-default-cookies', 'true') driver = webdriver.Chrome(chrome_options=options) to enable samesite cookies restrictions scheduled for future chrome version. It is not, there is error: selenium.common.exceptions.InvalidArgumentException: Message: invalid argument: cannot parse capability: goog:chromeOptions from invalid argument: unrecognized chrome option:

问题 I have .NET MVC application loaded in iframe in Microsoft Dynamics page. Initially the user will open the home page. The home controller redirects to the login page: return RedirectToAction("Index", "Login", new { returnUrl = redirectURL, error = errorMessage }); This was OK before this update KB4533002 Cumulative Update for .NET adding SameSite=Lax when SameSite is None or not specified. Then I added outbound rules in the web config to send SameSite=None; Secure . <rewrite> <outboundRules>

问题 Recently samesite=lax add automatically to my session cookie! this attribute just add to sessionID: "Set-Cookie ASP.NET_SessionId=zana3mklplqwewhwvika2125; path=/; HttpOnly; **SameSite=Lax**" My website hosted on IIS 8.5, Windows 2012 R2, and dont have WAF or UrlRewrite and I turn off AntiVirus (kasper). but yet have same problem on some customer servers. any idea? EDITED: I Find this: https://support.microsoft.com/en-us/help/4524419/kb4524419 ASP.NET will now emit a SameSite cookie header

问题 In order to avoid CSRF (Cross-site request forgery) most browsers are (since late 2019) automatically considering that any cookie which does not define SameSite attribute explicitly will be considered as Lax, instead of None which was the previous default. And more recently (Feb 2020, since Chrome 80) browsers are also ignoring cookies which define SameSite=None and are not secure. How can I change my session cookies to be automatically changed to None (to keep my SSO integrations working) in

问题 I have a asp.net site, which users can login and members can get report or print page by Ctrl+P. Recently when my members open my site in IE and try to print, they are logged out! why? because IE print dialog send some request to server without session cookie, so StateServer release new session for this client and then user logged out. Why print dialog sent request? I don't know, but i guess IE print dialog try to renders page and ready it for print. Why print dialog don't sent current

问题 Our application uses cookies to remember user login. Every auth API call we make, the browser attaches server-set HTTPonly cookie with the API request and gets authenticated. This behaviour seems to be broken in safari after Mojave release. I read about the cross-site cookie security implemented by safari and our server team added SameSite=None;Secure while setting the cookie. Even after that, it still doesn't work. Set-Cookie: my_cookie=XXXXX; path=/; secure; HttpOnly; SameSite=None Please

问题 Our application uses cookies to remember user login. Every auth API call we make, the browser attaches server-set HTTPonly cookie with the API request and gets authenticated. This behaviour seems to be broken in safari after Mojave release. I read about the cross-site cookie security implemented by safari and our server team added SameSite=None;Secure while setting the cookie. Even after that, it still doesn't work. Set-Cookie: my_cookie=XXXXX; path=/; secure; HttpOnly; SameSite=None Please

问题 So I've read about Chrome 80's cookies defaulting to SameSite=Lax and like the rest of you, I'm now trying to mesure the impact this will have on my site. The site I'm running is split on several sub-domains and each of them uses their own cookie. It looks like this: first-site.domain.com uses Cookie1 ( path=/; secure; httponly ) second-site.domain.com uses Cookie2 ( path=/; secure; httponly ) Since these cookies do not specify the SameSite attribute, they are supposed to be treated as Lax on