Missing SameSite Attribute on _saml_idp cookie

Description

The cookie for remembering previously used IDPs _saml_idp has no samesite attribute.

Environment

None

Attachments

2

Confluence content

mentioned on

Activity

Rod Widdowson 
February 7, 2024 at 7:42 PM

Documentation updated,

Rod Widdowson 
February 7, 2024 at 2:12 PM

Awesome! Thank you so much for spotting this issue and working with us to get the patch.

I have applied it. I will ensure that this is documented and the team will discuss making a new release.

Colin Bontemps 
February 7, 2024 at 1:21 PM

Hello , thank you for your feedback :-). To test, I launched the build.bat locally on my workstation and deployed the produced idpselect.js file on a machine with the DS installed. I then tried with and without the CookieProps value in the configuration and verified that cookies were configured as expected in my browser (Firefox). As a result, these tests are limited because I installed the JS file by hand and tested on a single browser. I am willing to spend a little more time to test if you see any additional tests to be carried out. I'm sorry I don't know what a tarball is 😅.

Rod Widdowson 
February 7, 2024 at 1:11 PM

We don’t seen any reason not to accept this in - the fallback to the old behavior in an upgrade is particularly nice.

Before I accept it I’d like to get a feel for the testing you have done or could do. Would a testing tarball make it easier for you to test ? (or have you done that already).

Thanks

Rod Widdowson 
February 7, 2024 at 11:07 AM

Wow! That was an easier patch than I had anticipated, Thanks

Done

Details

Assignee

Reporter

Components

Fix versions

Created September 13, 2023 at 8:10 AM
Updated February 27, 2024 at 3:50 PM
Resolved February 27, 2024 at 3:49 PM