Univention Bugzilla – Bug 54484
UMC: make SameSite cookie attribute configurable
Last modified: 2022-04-13 20:58:47 CEST
The SameSite cookie attribute should be set by UMC when sending cookies. Especially for the session cookie. We should either make it configurable to set this or hardcode it to a useful default. Respected must be that we are doing request to different origins (ucs-sso.$host) but this is the other way round. I think we can make a strict default here and might have to make a unstrict default in simplesamlphp (see Bug #54483).
Successful build Package: univention-management-console Version: 12.0.12-21A~5.0.0.202204041052 Branch: ucs_5.0-0 Scope: errata5.0-1 It is now possible to set the SameSite cookie attribute for UMC cookies via UCR variable umc/http/cookie/samesite
OK: setting of SameSite=None|Lax|Strict works. Note: SameSite=None can only be set if "Secure" is also set - otherwise browsers drop the entire cookie: `ucr set umc/http/enforce-secure-cookie=true umc/http/cookie/samesite=None` OK: UCR variable description OK: YAML
<https://errata.software-univention.de/#/?erratum=5.0x283>
Chrome 80 treats cookies as SameSite=Lax by default if no SameSite attribute is specified, see https://www.chromestatus.com/feature/5088147346030592.