Release date: 2020-16-01
Version 2.0.3 includes a little change to the OIOSAML session cookie
in order to mitigate for the comming changes in how browsers handles
3. party cookies. From February 2020 will the default behavior in
Chrome change regarding the SameSite property on cookies. Forward on
will the default setting be SameSite=Lax if the SameSite property is
not set. See https://www.chromestatus.com/feature/5633521622188032.
OIOSAML 2.0.2 and backwards do not set the SameSite property, meaning
that the OIOSAML session cookie will not be loaded when returning from
NemLog-in (IdP). The consequence is that the login flow fails. Chrome
will in a undefined period accept 3. party cookies with an age less
than 2 minutes. Thus, users will in a undefined period still be able
to login with version 2.0.2 and backwards if the user uses less than 2
minutes to complete the login flow.
OIOSAML.Net 2.0.3 sets the SameSite property to None, making the
login flow work as normal. When setting the SameSite property to None
the OIOSAML session cookie must also be Secure.
Release notes: OIOSAML.Net (dk.nita.saml20)
- (Breaking) OIOSAML session cookie has SameSite
property set to None. This requires minimum .Net version 4.7.2.
Release notes: dk.nita.saml20.ext.audit.log4net
- No changes
Release notes: dk.nita.saml20.ext.sessionstore.sqlserver
- No changes
Documentation and code can be found at GitHub: https://github.com/digst/OIOSAML.Net
The packages is only available at nuget.org