You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/active-directory/develop/howto-handle-samesite-cookie-changes-chrome-browser.md
+18-17Lines changed: 18 additions & 17 deletions
Display the source diff
Display the rich diff
Original file line number
Diff line number
Diff line change
@@ -9,11 +9,12 @@ ms.service: active-directory
9
9
ms.subservice: develop
10
10
ms.workload: identity
11
11
ms.topic: conceptual
12
-
ms.date: 01/27/2020
12
+
ms.date: 02/07/2023
13
13
ms.author: henrymbugua
14
14
ms.reviewer: kkrishna, jmprieur
15
15
ms.custom: aaddev
16
16
---
17
+
17
18
# Handle SameSite cookie changes in Chrome browser
18
19
19
20
## What is SameSite?
@@ -29,7 +30,7 @@ By default, the `SameSite` value is NOT set in browsers and that's why there are
29
30
30
31
Recent [updates to the standards on SameSite](https://tools.ietf.org/html/draft-west-cookie-incrementalism-00) propose protecting apps by making the default behavior of `SameSite` when no value is set to Lax. This mitigation means cookies will be restricted on HTTP requests except GET made from other sites. Additionally, a value of **None** is introduced to remove restrictions on cookies being sent. These updates will soon be released in an upcoming version of the Chrome browser.
31
32
32
-
When web apps authenticate with the Microsoft Identity platform using the response mode "form_post", the login server responds to the application using an HTTP POST to send the tokens or auth code. Because this request is a cross-domain request (from `login.microsoftonline.com` to your domain - for instance `https://contoso.com/auth`), cookies that were set by your app now fall under the new rules in Chrome. The cookies that need to be used in cross-site scenarios are cookies that hold the *state* and *nonce* values, that are also sent in the login request. There are other cookies dropped by Azure AD to hold the session.
33
+
When web apps authenticate with the Microsoft identity platform using the response mode "form_post", the login server responds to the application using an HTTP POST to send the tokens or auth code. Because this request is a cross-domain request (from `login.microsoftonline.com` to your domain - for instance `https://contoso.com/auth`), cookies that were set by your app now fall under the new rules in Chrome. The cookies that need to be used in cross-site scenarios are cookies that hold the _state_ and _nonce_ values, that are also sent in the login request. There are other cookies dropped by Azure Active Directory (Azure AD) to hold the session.
33
34
34
35
If you don't update your web apps, this new behavior will result in authentication failures.
35
36
@@ -39,17 +40,17 @@ To overcome the authentication failures, web apps authenticating with the Micros
39
40
Other browsers (see [here](https://www.chromium.org/updates/same-site/incompatible-clients) for a complete list) follow the previous behavior of `SameSite` and won't include the cookies if `SameSite=None` is set.
40
41
That's why, to support authentication on multiple browsers web apps will have to set the `SameSite` value to `None` only on Chrome and leave the value empty on other browsers.
41
42
42
-
This approach is demonstrated in our code samples below.
43
+
This approach is demonstrated in the following sample code.
43
44
44
45
# [.NET](#tab/dotnet)
45
46
46
-
The table below presents the pull requests that worked around the SameSite changes in our ASP.NET and ASP.NET Core samples.
47
+
The following table presents the pull requests that worked around the SameSite changes in our ASP.NET and ASP.NET Core samples.
47
48
48
-
| Sample | Pull request |
49
-
| ------ | ------------ |
50
-
|[ASP.NET Core web app incremental tutorial](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2)|[Same site cookie fix #261](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/pull/261)|
51
-
|[ASP.NET MVC web app sample](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect)|[Same site cookie fix #35](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/pull/35)|
52
-
|[active-directory-dotnet-admin-restricted-scopes-v2](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2)|[Same site cookie fix #28](https://github.com/Azure-Samples/active-directory-dotnet-admin-restricted-scopes-v2/pull/28)|
|[ASP.NET Core web app incremental tutorial](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2)|[Same site cookie fix #261](https://github.com/Azure-Samples/active-directory-aspnetcore-webapp-openidconnect-v2/pull/261)|
52
+
|[ASP.NET MVC web app sample](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect)|[Same site cookie fix #35](https://github.com/Azure-Samples/ms-identity-aspnet-webapp-openidconnect/pull/35)|
53
+
|[active-directory-dotnet-admin-restricted-scopes-v2](https://github.com/azure-samples/active-directory-dotnet-admin-restricted-scopes-v2)|[Same site cookie fix #28](https://github.com/Azure-Samples/active-directory-dotnet-admin-restricted-scopes-v2/pull/28)|
53
54
54
55
for details on how to handle SameSite cookies in ASP.NET and ASP.NET Core, see also:
55
56
@@ -58,16 +59,16 @@ for details on how to handle SameSite cookies in ASP.NET and ASP.NET Core, see a
|[ms-identity-java-webapp](https://github.com/Azure-Samples/ms-identity-java-webapp)|[Same site cookie fix #24](https://github.com/Azure-Samples/ms-identity-java-webapp/pull/24)|
71
+
|[ms-identity-java-webapi](https://github.com/Azure-Samples/ms-identity-java-webapi)|[Same site cookie fix #4](https://github.com/Azure-Samples/ms-identity-java-webapi/pull/4)|
71
72
72
73
---
73
74
@@ -79,4 +80,4 @@ Learn more about SameSite and the Web app scenario:
0 commit comments