%kb_name - %short_descr - Knowledge Portal

Description

Google released Chrome 84 on July 14, 2020. Sitecore is researching any possible impact on our customers.

We noticed that the Chrome security update might cause the maximum number of allowed users to be exceeded due to the new behavior of the SameSite setting in Chrome 84 (apart from Lax and Strict there is also a new None setting that is used by default).

It affects how ASP.NET_SessionId cookie is generated. If the ASP.NET_SessionId cookie is not marked as secure, it is generated anew on every new request. This means that every request is made with a new session that Sitecore counts as a new user. As a result, Max Allowed Users can be exceeded by just one actual user.

In such a scenario, the KickUser.aspx admin page will list many users with the same names. Also, after each request the ASP.NET_SessionId cookie will change its value (can be checked via Chrome dev tools).

More information about changes in Chrome 84 can be found here: https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/

Solution

To make ASP.NET_SessionId cookie secure:

Ensure that CM is accessible only with https.

Ensure that all cookies are configured with "requireSSL" set to "true" in web.config:

<system.web>
    ....
    <httpCookies requireSSL="true" />
</system.web>

Chrome 84 security update might cause maximum allowed users number to be exceeded

Description

Solution