Chrome Samesite - cross domain iframe use-case
Article ID: 195343
Updated On:
Products
Issue/Introduction
When running 3 Web Agents and when a user accesses a page having iframe which gets the page from another Web Agent and different domain, then the SMSESSION cookie is not sent to that Web Agent and the page is sent back to the cookie provider.
The flow scenario is as follows:
- When user accesses the Application 1 URL on the Chrome 80 version, Application 1 URL works well;
- Now the Application 1 calls the Application 2 using iframe;
- The Application 2 has no cookie in browser, so it redirects the browser to Cookie Provider and then the browser enters a loop which ends with an error:
wa.example.com redirected you too many times - Trying to set "getcpcookie=yes" in the Cookie Provider instance, but still issue is reproduced.
Configuration :
Cookie provider URL = http://wa.example.com/smmakecookie.ccc Cookie provider cookie domain = .example.com Cookie provider samesite value = none
Application 1 URL = http://mywa.example.org/index.html Application 1 cookie domain = .example.org Application 1 cookie provider URL = http://wa.example.com/smmakecookie.ccc Application 1 samesite value = nothing set, so the browser takes it as LAX
Application 2 URL = http://mywa.example.net/index.html Application 2 cookie domain = .example.net Applicaiton 2 cookie provider URL = http://wa.example.com/smmakecookie.ccc Application 2 samesite value = nothing set, so the browser takes it as LAX
Environment
3 Web Agents 12.52SP1CR10 with SameSite patches 64bit on Apache 2.4 64bit on RedHat 6;
Policy server 12.8SP3 on RedHat6;
Resolution
The use case involves 2 of the use cases described from the documentation (1):
- Cookie provider flow for any POST request to an application;
- SSO between applications when a SMSESSION cookie exists and a POST request is initiated from cross-site;
As such, apply the samesite fix on the 3 Web Agents.
The following iframe code on the page will make the use case working with Internet Explorer and using HTML Form Authentication Scheme.
The target page served by app 1 mywa.example.org:
<!DOCTYPE html> <html> <body>
<h1>The iframe element</h1>
This is test page
<form action="action" method="post" target="output_frame"> <!-- input elements here --> </form> <iframe name="output_frame" src="http://mywa.example.net/home/index.html" id="output_frame"> </iframe>
</body> </html>
The http://mywa.example.net/home/index.html resource has this code:
<html>home</html>
Configure the first the Cookie Provider and both Web Agent that way:
wa.example.com (cookie provider) :
[6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomain='.example.com'. [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomainscope='0'. [6054/3339433728][Fri Jul 10 2020 10:55:21] enablecookieprovider='yes'. [6054/3339433728][Fri Jul 10 2020 10:55:21] limitcookieprovider='no'. [6054/3339433728][Fri Jul 10 2020 10:55:21] trackcpsessiondomain='yes'. [6054/3339433728][Fri Jul 10 2020 10:55:21] tracksessiondomain='no'.
mywa.example.org (app 1)
[5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomain=''. [5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomainscope='0'. [5505/2828023552][Fri Jul 10 2020 10:48:12] cookieprovider='http://wa.example.com/smmakecookie.ccc'. [5505/2828023552][Fri Jul 10 2020 10:48:12] enablecookieprovider='no'. [5505/2828023552][Fri Jul 10 2020 10:48:12] limitcookieprovider='no'. [5505/2828023552][Fri Jul 10 2020 10:48:12] tracksessiondomain='no'.
mywa.example.net (app 2 embedded iframe in mywa.example.org)
[5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomain=''. [5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomainscope='0'. [5512/991487744][Fri Jul 10 2020 10:48:47] cookieprovider='http://wa.example.com/smmakecookie.ccc'. [5512/991487744][Fri Jul 10 2020 10:48:47] enablecookieprovider='no'. [5512/991487744][Fri Jul 10 2020 10:48:47] limitcookieprovider='no'. [5512/991487744][Fri Jul 10 2020 10:48:47] tracksessiondomain='no'.
With iexplore (Internet explorer) it works, as the browser needs to log in only once at mywa.example.org and get embedded mywa.example.net.
With chrome (Google Chrome) it doesn't work, as the browser needs to log in at mywa.example.org and the browser is asked again to login at mywa.example.net.
After trying to reach mywa.example.net, the browser gets redirected to the Cookie Provider.
The cookie for the Cookie provider isn't sent, so the Cookie Provider cannot create one for mywa.example.net.
Changing the configuration on the Cookie Provider to use the ACO parameter from the Samesite enhancement:
wa.example.com (cookie provider):
[6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomain='.example.com'. [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomainscope='0'. [6054/3339433728][Fri Jul 10 2020 10:55:21] enablecookieprovider='yes'. [6054/3339433728][Fri Jul 10 2020 11:09:59] getcpcookie='yes'. [6054/3339433728][Fri Jul 10 2020 10:55:21] limitcookieprovider='no'. [6054/3339433728][Fri Jul 10 2020 11:09:59] samesite='None'. [6054/3339433728][Fri Jul 10 2020 10:55:21] trackcpsessiondomain='yes'. [6054/3339433728][Fri Jul 10 2020 10:55:21] tracksessiondomain='no'.
Now, with chrome (Google Chrome) it doesn't work as the user needs to log in only once at mywa.example.org and then the resource from mywa.example.net doesn't show up.
In fiddler traces, after trying to reach mywa.example.net, the browser gets redirected the cookie for the Cookie provider.
But this time a cookie is sent to example.net domain, but the Agent from example.net goes back to the Cookie Provider in a loop because the Cookie Provider doesn't receive the expected cookie.
The browser shows then the following error:
wa.example.com redirected you too many times.
Finally, keeping the Cookie Provider with the same configuration and adding the Samesite ACO for both the other Web Agents:
wa.example.com (cookie provider) :
[6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomain='.example.com'. [6054/3339433728][Fri Jul 10 2020 10:55:21] cookiedomainscope='0'. [6054/3339433728][Fri Jul 10 2020 10:55:21] enablecookieprovider='yes'. [6054/3339433728][Fri Jul 10 2020 11:09:59] getcpcookie='yes'. [6054/3339433728][Fri Jul 10 2020 10:55:21] limitcookieprovider='no'. [6054/3339433728][Fri Jul 10 2020 11:09:59] samesite='None'. [6054/3339433728][Fri Jul 10 2020 10:55:21] trackcpsessiondomain='yes'. [6054/3339433728][Fri Jul 10 2020 10:55:21] tracksessiondomain='no'.
mywa.example.org (app 1)
[5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomain=''. [5505/2828023552][Fri Jul 10 2020 10:48:12] cookiedomainscope='0'. [5505/2828023552][Fri Jul 10 2020 10:48:12] cookieprovider='http://wa.example.com/smmakecookie.ccc'. [5505/2828023552][Fri Jul 10 2020 10:48:12] enablecookieprovider='no'. [5505/2828023552][Fri Jul 10 2020 10:48:12] limitcookieprovider='no'. [5505/2828023552][Fri Jul 10 2020 11:09:59] samesite='None'. [5505/2828023552][Fri Jul 10 2020 10:48:12] tracksessiondomain='no'.
mywa.example.net (app 2 embedded iframe in mywa.example.org)
[5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomain=''. [5512/991487744][Fri Jul 10 2020 10:48:47] cookiedomainscope='0'. [5512/991487744][Fri Jul 10 2020 10:48:47] cookieprovider='http://wa.example.com/smmakecookie.ccc'. [5512/991487744][Fri Jul 10 2020 10:48:47] enablecookieprovider='no'. [5512/991487744][Fri Jul 10 2020 10:48:47] limitcookieprovider='no'. [5512/991487744][Fri Jul 10 2020 11:09:59] samesite='None'. [5512/991487744][Fri Jul 10 2020 10:48:47] tracksessiondomain='no'.
Then the use case works as expected. Log in only once at mywa.example.org, and the iframe embedded page at example.net gets its expected cookie and shows up in the example.org:
http://mywa.example.org/home/index.html
The iframe element This is test page
+------+ | home | | | | | +------+
Additional Information
Feedback
