[Openid-specs-ab] Session management and third party cookies

Torsten Lodderstedt torsten at lodderstedt.net
Sat Aug 18 15:45:46 UTC 2012


Am 16.08.2012 22:21, schrieb Nat Sakimura:
> Actually, Safari should not be a problem because the cookie is first 
> created at the top level window when the user first logged in to the 
> IdP. Safari allows the read of the cookie in iFrame, though it does 
> not allow write. This is perfectly fine.
>
> The problem is in other browsers. Chrome after rel. 17, when the user 
> sets no third party cookie / local storage option, it even blocks the 
> reading of the cookie. The same behavior was reported on Firefox as 
> well. Since they are not the default setting, not many people perhaps 
> are affected, yet it is a valid concern.

Do you consider this a bug or is there a concept/philosophy behind?

regards,
Torsten.
>
> Nat
>
> On Fri, Aug 17, 2012 at 2:25 AM, Torsten Lodderstedt 
> <torsten at lodderstedt.net <mailto:torsten at lodderstedt.net>> wrote:
>
>     Hi all,
>
>     according to one of our develpers, at least Safari is blocking
>     such cookies only if they were not created as a result of some
>     user interaction, e.g. a form post.
>
>     regards,
>     Torsten.
>
>
>
>     Am 14.08.2012 14:37, schrieb John Bradley:
>
>         So I take it that this is not about blocking what we would
>         think of as a normal 3rd party cookie.
>
>         The Browsers are also trying to block sneaky ways that people
>         are using to get around 3rd party cookie blocking.
>
>         We are getting caught in that basket because the IdP iframe is
>         invoked from the RP iframe.
>
>         Any Ideas?
>
>         On 2012-08-14, at 7:22 AM, Nat Sakimura wrote:
>
>             Latest Safari on iOS 5.1.1 and Mountain Lion.
>
>             =nat via iPhone
>
>             On Aug 14, 2012, at 9:11 PM, Chuck Mortimore
>             <cmortimore at salesforce.com
>             <mailto:cmortimore at salesforce.com>> wrote:
>
>                 Latest versions of Safari just got far more aggressive
>                 about this, so I'd report what version of Safari you
>                 were on.
>
>                 -cmort
>
>                 On Aug 13, 2012, at 6:36 PM, Nat Sakimura wrote:
>
>                     I did a little bit of checking on the
>                     relationships between the
>                     Session management spec and third party cookies.
>
>                     In short, it varies.
>                     In Safari and older Chrome, it works.
>
>                     In Chrome after v.17(?), if the user sets the
>                     block third party
>                     cookies option, it does not.
>
>                     I have not tested IE.
>
>                     Nat Sakimura
>                     _______________________________________________
>                     Openid-specs-ab mailing list
>                     Openid-specs-ab at lists.openid.net
>                     <mailto:Openid-specs-ab at lists.openid.net>
>                     http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>             _______________________________________________
>             Openid-specs-ab mailing list
>             Openid-specs-ab at lists.openid.net
>             <mailto:Openid-specs-ab at lists.openid.net>
>             http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>         _______________________________________________
>         Openid-specs-ab mailing list
>         Openid-specs-ab at lists.openid.net
>         <mailto:Openid-specs-ab at lists.openid.net>
>         http://lists.openid.net/mailman/listinfo/openid-specs-ab
>
>
>
>
>
> -- 
> Nat Sakimura (=nat)
> Chairman, OpenID Foundation
> http://nat.sakimura.org/
> @_nat_en
>

-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.openid.net/pipermail/openid-specs-ab/attachments/20120818/cb7a262d/attachment.html>


More information about the Openid-specs-ab mailing list