Lightrun
question-mark
Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

SameSite should be set to 'None' on the saml_session cookie

See original GitHub issue

djangosaml2 is not setting the SameSite attribute on the saml_session cookie, which leaves it up to browsers to decide whether the cookie is sent with cross-site requests. Browsers are starting to default to SameSite=Lax when a cookie is missing a SameSite attribute, see:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#browser_compatibility https://www.chromestatus.com/feature/5088147346030592

This behaviour breaks SP-initiated login with the HTTP-POST protocol when using djangosaml2, since browsers will refuse to send the saml_session cookie in the request to /saml2/acs/ (because that request is a third-party request initiated by the IdP). This causes djangosaml2 to raise an UnsolicitedResponse error.

I think that djangosaml2 should explicitly set SameSite=None on the saml_session cookie. This would allow the cookie to be sent in third-party requests.

This issue is very similar to https://github.com/peppelinux/djangosaml2/issues/243, but I think there might have been some confusion there between calling response.set_cookie with samesite=None (which results in a cookie without a SameSite attribute), and setting SameSite=None on the cookie.

Issue Analytics

  • State:closed
  • Created 2 years ago
  • Comments:9 (9 by maintainers)

github_iconTop GitHub Comments

1reaction
peppelinuxcommented, Apr 28, 2021

now we have v1.1.4 with the suggestion you give me, very thankful for this if you will do a PR on documentation (setup.rst) to explain this warning to django users I’ll really appreciate!

0reactions
peppelinuxcommented, Apr 28, 2021

feel free to do your tests, confirm the current behaviour and make a PR can you spend some effort on this?

even on documentation if possibile

Read more comments on GitHub >

github_iconTop Results From Across the Web

SAML Cookie SameSite Mode None - ComponentSpace
Consequently, the SAML session cookie must be created with a SameSite value of None. These considerations aren't specific to SAML SSO or ASP ......
Read more >
SameSite cookies - HTTP - MDN Web Docs
Cookie myCookie will be soon rejected because it has the SameSite attribute set to None or an invalid value, without the secure attribute....
Read more >
SameSite cookies explained - web.dev
Specifying the new None attribute allows you to explicitly mark your ... You can store that preference in a cookie, set it to...
Read more >
PVWA SAML authentication not working with Chrome browser ...
In order for PVWA SAML authentication to work properly - 'CA88888' cookie will properly be set to SameSite mode of None
Read more >
php - How to fix "set SameSite cookie to none" warning?
A cookie associated with a cross-site resource at (Here is my domain) was set without the SameSite attribute. A future release of Chrome...
Read more >

github_iconTop Related Medium Post

No results found

github_iconTop Related StackOverflow Question

No results found

github_iconTroubleshoot Live Code

Lightrun enables developers to add logs, metrics and snapshots to live code - no restarts or redeploys required.
Start Free

github_iconTop Related Reddit Thread

No results found

github_iconTop Related Hackernoon Post

No results found

github_iconTop Related Tweet

No results found

github_iconTop Related Dev.to Post

No results found

github_iconTop Related Hashnode Post

No results found
Previous page

Accessed Denied Error in Chrome

Next page

Configuration for key_file and cert_file from ENV vars