Chrome SameSite feature

illustrations illustrations illustrations illustrations illustrations illustrations illustrations

Chrome SameSite feature

Published on Apr 12, 2021 by Malys

Google Chrome: Same-site

What is SameSite ?

Heroku blog explains very well this feature.

Google provides also a webpage with last SameSite updates.

Use cases

POST data

Authentication

Authentication is an sub-usecase of both and it’s described in this Auth0 blog post.

Browser compatibility

THe SameSite solution is not supported by all browsers and can create problem in Safari.

Solutions/Workaround

As these changes to include None and update default behavior are still relatively new, there are inconsistencies amongst browsers as to how these changes are handled. You can refer to the updates page on chromium.org for the issues currently known, however it’s not possible to say if this is exhaustive. While this is not ideal, there are workarounds you can employ during this transitionary phase. The general rule though is to treat incompatible clients as the special case. Do not create an exception for browsers implementing the newer rules.

The first option is to set both the new and old style cookies:

Set-cookie: 3pcookie=value; SameSite=None; Secure Set-cookie: 3pcookie-legacy=value; Secure Browsers implementing the newer behavior will set the cookie with the SameSite value, while other browsers may ignore or incorrectly set it. However, those same browsers will set the 3pcookie-legacy cookie. When processing included cookies, the site should first check for the presence of the new style cookie and if it’s not found, then fallback to the legacy cookie.

Reverse Proxy can duplicate cookie and rewrite the second one to add SameSite=none; Secure; and not change legacy behavior.

  • NGINX rule
proxy_cookie_path ~^/(.+)$ "/$1; SameSite=none; Secure; ";

User agent detection

Alternatively at the point of sending the Set-Cookie header, you can choose to detect the client via the user agent string. Refer to the list of incompatible clients and then make use of an appropriate library for your platform, for example ua-parser-js library on Node.js. It’s advisable to find a library to handle user agent detection as you most probably don’t want to write those regular expressions yourself.

The benefit of this approach is that it only requires making one change at the point of setting the cookie. However, the necessary warning here is that user agent sniffing is inherently fragile and may not catch all of the affected users.

Keycloak implementation

Keycloak is impacted by SameSite feature when Keycloak adapter tries to checkSSO status to allow *Single Sign Out". An Iframe checks cookie and session state every 5 minutes.

Keycloak generates 2 cookies for compatibility and reads them in Keycloak.js adapter (see Pull Request)

Proactiveness