'Converting IdP POST data to session cookie with SameSite=Strict

  • IdP makes the browser POST auth data to our site
  • our site responds with Set-Cookie and a 303 redirect to another page on our site
  • the browser does not send this cookie to the redirect page. It sends Sec-Fetch-Site: cross-origin though
  • the browser sends the cookie to the resources requested by the page
  • If the redirect page is a protected resource it fails due to the missing session cookie

Both parties are https, the domains have no common part. The cookie is Secure, has Path=/ and SameSite=Strict. The only workaround we found so far was to change it to Lax.

Is it possible to mark the HTTP redirect as a same site redirect without resorting to HTML or javascript? I mean, clear its cross-site nature?

The corresponding bugs were opened many years ago and are now abandoned. The devs were playing dumb like they could not reproduce the problem.

https://bugs.chromium.org/p/chromium/issues/detail?id=696204

https://bugzilla.mozilla.org/show_bug.cgi?id=1465402

cookiescross-domainsamesiteidp


Sources

This article follows the attribution requirements of Stack Overflow and is licensed under CC BY-SA 3.0.

Source: Stack Overflow

Solution Source

Related Questions