SameSite support


SameSite is an IETF draft standard designed to provide some protection against cross-site request forgery (CSRF) attacks. Originally drafted in 2016, the draft standard was updated in 2019. The updated standard is not backwards compatible with the previous standard.

Version 80 of the Google Chrome browser has introduced a breaking change in how it treats the SameSite cookie. Other browsers are expected to follow suit, and will experience the issue in future.


Because Sitecore Identity Server is a default provider of Federated Authentication, apply both of the following sections to your solution.

Make Sitecore Federated Authentication compatible with SameSite changes:

  1. Update the Net Framework version on the server:
  2. Configure the default values of cookies in the <system.web> section of the web.config file as follows:
    <httpCookies sameSite="None" requireSSL="true" />
  3. Download the Sitecore.Owin.Authentication.SameSite archive to prevent cookie chunk maximum size from being exceeded. Unpack the archive and follow instructions in the readme.txt file.
  4. If there are custom identity providers configured, make sure that CookieManager is specified when UseOpenIdConnectAuthentication() extension method is called. The OpenIdConnectAuthenticationOptions object, passed to UseOpenIdConnectAuthentication() method, must have the CookieManager property set implicitly. Use the instance of ICookieManager, registered in the Service Container. You can inject it as a constructor dependency.

Make Sitecore Identity server compatible with SameSite changes:

  1. Download the Sitecore.Plugin.Authentication.SameSite archive.
  2. Install the plugin to Sitecore Identity server (see readme.txt inside the archive for detailed instructions).