[Openid-specs-ab] Session management and third party cookies

Nat Sakimura sakimura at gmail.com
Thu Aug 16 20:21:34 UTC 2012


Actually, Safari should not be a problem because the cookie is first
created at the top level window when the user first logged in to the IdP.
Safari allows the read of the cookie in iFrame, though it does not allow
write. This is perfectly fine.

The problem is in other browsers. Chrome after rel. 17, when the user sets
no third party cookie / local storage option, it even blocks the reading of
the cookie. The same behavior was reported on Firefox as well. Since they
are not the default setting, not many people perhaps are affected, yet it
is a valid concern.

Nat

On Fri, Aug 17, 2012 at 2:25 AM, Torsten Lodderstedt <
torsten at lodderstedt.net> wrote:

> Hi all,
>
> according to one of our develpers, at least Safari is blocking such
> cookies only if they were not created as a result of some user interaction,
> e.g. a form post.
>
> regards,
> Torsten.
>
>
>
> Am 14.08.2012 14:37, schrieb John Bradley:
>
>  So I take it that this is not about blocking what we would think of as a
>> normal 3rd party cookie.
>>
>> The Browsers are also trying to block sneaky ways that people are using
>> to get around 3rd party cookie blocking.
>>
>> We are getting caught in that basket because the IdP iframe is invoked
>> from the RP iframe.
>>
>> Any Ideas?
>>
>> On 2012-08-14, at 7:22 AM, Nat Sakimura wrote:
>>
>>  Latest Safari on iOS 5.1.1 and Mountain Lion.
>>>
>>> =nat via iPhone
>>>
>>> On Aug 14, 2012, at 9:11 PM, Chuck Mortimore <cmortimore at salesforce.com>
>>> wrote:
>>>
>>>  Latest versions of Safari just got far more aggressive about this, so
>>>> I'd report what version of Safari you were on.
>>>>
>>>> -cmort
>>>>
>>>> On Aug 13, 2012, at 6:36 PM, Nat Sakimura wrote:
>>>>
>>>>  I did a little bit of checking on the relationships between the
>>>>> Session management spec and third party cookies.
>>>>>
>>>>> In short, it varies.
>>>>> In Safari and older Chrome, it works.
>>>>>
>>>>> In Chrome after v.17(?), if the user sets the block third party
>>>>> cookies option, it does not.
>>>>>
>>>>> I have not tested IE.
>>>>>
>>>>> Nat Sakimura
>>>>> ______________________________**_________________
>>>>> Openid-specs-ab mailing list
>>>>> Openid-specs-ab at lists.openid.**net <Openid-specs-ab at lists.openid.net>
>>>>> http://lists.openid.net/**mailman/listinfo/openid-specs-**ab<http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>>>>>
>>>> ______________________________**_________________
>>> Openid-specs-ab mailing list
>>> Openid-specs-ab at lists.openid.**net <Openid-specs-ab at lists.openid.net>
>>> http://lists.openid.net/**mailman/listinfo/openid-specs-**ab<http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>>>
>> ______________________________**_________________
>> Openid-specs-ab mailing list
>> Openid-specs-ab at lists.openid.**net <Openid-specs-ab at lists.openid.net>
>> http://lists.openid.net/**mailman/listinfo/openid-specs-**ab<http://lists.openid.net/mailman/listinfo/openid-specs-ab>
>>
>
>


-- 
Nat Sakimura (=nat)
Chairman, OpenID Foundation
http://nat.sakimura.org/
@_nat_en
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120817/b73c844b/attachment.html>


More information about the Openid-specs-ab mailing list