Chrome v80 has introduced some new security settings which do not honor cookies that specify if they can be used in the SameSite origin or not.
Additional Documentation
- https://web.dev/samesite-cookies-explained/
- https://docs.microsoft.com/en-us/office365/troubleshoot/miscellaneous/chrome-behavior-affects-applications
Resolution
There are 4 options to resolve this issue:
- Disable the new security enhancement in Chrome v80 (workaround/short term option)
- Suggest the user temporarily change browsers until a permanent configuration change is made (workaround/short term option)
- Update the web.config configuration within IIS (may need to contact Akumina)
- Upgrade your Akumina application to v4.8 (which will require no modification to IIS)
Disable the new security enhancement
The settings that control this within Chrome v80 may be found by:
- Navigate to Chrome's settings or type this into your browser address field:
chrome://flags - Search for 'SameSite'
- Find the "SameSite by default cookies" line
- Change from "Default" to "Disabled"
Before:
After:
Update the web.config configuration within IIS
- In web.config look for the following:
</system.webServer> - Above that line, add:
<rewrite>
<outboundRules>
<rule name="AddSameSiteCookieFlag">
<match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*)(AKAPP|AKDWP)(=.*)$" />
<action type="Rewrite" value="{R:0};SameSite=None;Secure;" />
</rule>
</outboundRules>
</rewrite>
Final:
<rewrite>
<outboundRules>
<rule name="AddSameSiteCookieFlag">
<match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*)(AKAPP|AKDWP)(=.*)$" />
<action type="Rewrite" value="{R:0};SameSite=None;Secure;" />
</rule>
</outboundRules>
</rewrite>
</system.webServer>
Upgrade your Akumina application to v4.8
The next major release of Akumina (v4.8, due Q1 2020) will include updates that resolve this issue.