在 Chrome 浏览器中处理 SameSite Cookie 更改Handle SameSite cookie changes in Chrome browser

什么是 SameSite?What is SameSite?

SameSite 是一个属性,可在 HTTP Cookie 中设置该属性,以防止 Web 应用程序遭受跨站点请求伪造 (CSRF) 攻击:SameSite is a property that can be set in HTTP cookies to prevent Cross Site Request Forgery(CSRF) attacks in web applications:

  • SameSite 设置为 Lax 时,将在同一站点内的请求中以及来自其他站点的 GET 请求中发送 Cookie。When SameSite is set to Lax, the cookie is sent in requests within the same site and in GET requests from other sites. 不会在跨域的 GET 请求中发送 Cookie。It isn't sent in GET requests that are cross-domain.
  • 使用 Strict 值可确保仅在同一站点内的请求中发送 Cookie。A value of Strict ensures that the cookie is sent in requests only within the same site.

默认情况下,不会在浏览器中设置 SameSite 值,正因如此,在请求中发送的 Cookie 没有限制。By default, the SameSite value is NOT set in browsers and that's why there are no restrictions on cookies being sent in requests. 应用程序需要根据要求设置 LaxStrict 来启用 CSRF 保护。An application would need to opt-in to the CSRF protection by setting Lax or Strict per their requirements.

SameSite 更改以及对身份验证的影响SameSite changes and impact on authentication

最近对 SameSite 标准所做的更新提议在未将任何值设置为 Lax 时,通过产生默认的 SameSite 行为来保护应用。Recent updates to the standards on SameSite propose protecting apps by making the default behavior of SameSite when no value is set to Lax. 此缓解措施意味着,HTTP 请求(从其他站点发出的 GET 除外)中的 Cookie 将受到限制。This mitigation means cookies will be restricted on HTTP requests except GET made from other sites. 此外,引入了 None 值来消除对所发送 Cookie 的限制。Additionally, a value of None is introduced to remove restrictions on cookies being sent. 这些更新即将在下一个 Chrome 浏览器版本中发布。These updates will soon be released in an upcoming version of the Chrome browser.

当 Web 应用使用响应模式“form_post”通过 Microsoft 标识平台进行身份验证时,登录服务器将使用 HTTP POST 来响应应用程序,以发送令牌或授权代码。When web apps authenticate with the Microsoft Identity platform using the response mode "form_post", the login server responds to the application using an HTTP POST to send the tokens or auth code. 由于这是一个跨域请求(从 login.partner.microsoftonline.cn 发送到域 - 例如 )https://contoso.com/auth,因此应用设置的 Cookie 现在需要遵守 Chrome 中的新规则。Because this request is a cross-domain request (from login.partner.microsoftonline.cn to your domain - for instance https://contoso.com/auth), cookies that were set by your app now fall under the new rules in Chrome. 需要在跨站点方案中使用的 Cookie 是保留 statenonce 值的 Cookie,它们也在登录请求中发送。The cookies that need to be used in cross-site scenarios are cookies that hold the state and nonce values, that are also sent in the login request. Azure AD 会丢弃其他一些 Cookie 来保留会话。There are other cookies dropped by Azure AD to hold the session.

如果不更新 Web 应用,这种新行为会导致身份验证失败。If you don't update your web apps, this new behavior will result in authentication failures.

缓解措施和示例Mitigation and samples

若要解决身份验证失败,在 Chrome 浏览器上运行时,对于在跨域方案中使用的 Cookie,通过 Microsoft 标识平台进行身份验证的 Web 应用可将 SameSite 属性设置为 NoneTo overcome the authentication failures, web apps authenticating with the Microsoft identity platform can set the SameSite property to None for cookies that are used in cross-domain scenarios when running on the Chrome browser. 其他浏览器(参阅此处的完整列表)遵循以前的 SameSite 行为,并且在设置了 SameSite=None 时不包含 Cookie。Other browsers (see here for a complete list) follow the previous behavior of SameSite and won't include the cookies if SameSite=None is set. 正因如此,为了在多个浏览器中支持身份验证,Web 应用只能在 Chrome 中将 SameSite 值设置为 None,在其他浏览器中则保留空值。That's why, to support authentication on multiple browsers web apps will have to set the SameSite value to None only on Chrome and leave the value empty on other browsers.

以下代码示例演示了此方法。This approach is demonstrated in our code samples below.

后续步骤Next steps

详细了解 SameSite 和 Web 应用方案:Learn more about SameSite and the Web app scenario: