Chrome SameSite Cookie Change

SAML Global Logins use a cookie to maintain SAML session state in support of the SAML protocol. This cookie must have a SameSite mode of None. In earlier releases of Chrome, the SameSite mode defaulted to None. The update defaults the SameSite mode to Lax. Furthermore, if a SameSite mode of None is specified, Chrome requires the Secure attribute to be specified for the cookie.

To repair or prevent issues caused by this change the ASP.NET session cookie must include a SameSite value of None and should be marked as secure.

1. Update the application's web.config to specify the following.

   <sessionState cookieSameSite="None" />
   <httpCookies requireSSL="true" />
   

2. If the previous step causes an unrecognized attribute configuration error.  Update the web server to the latest ASP.NET release (ie ASP.NET v4.8 or later) to pick up the runtime support for SameSite.  This will require a server restart.  Note that the application may continue to target an earlier version of the .NET framework. For example, your application's project may continue to target .NET framework v4.0 but you need to update the web server to ASP.NET v4.8.

Some older browsers are incompatible with the SameSite mode of None. In particular, older releases of Safari, prior to OSX Catalina or iOS 13, will fail if presented with a SameSite mode of None. It's recommended that users upgrade to the latest OSX or iOS release. Of course, this may not be possible and the SAML for ASP.NET 4.0.0 and SAML Cookie HTTP Module both include code to detect these older browsers and not include the SameSite mode in the cookie. https://www.chromium.org/updates/same-site/incompatible-clients