I'm writing a client against the IC web services API (ICWS) over https. We're currently on CIC 2019 R1 Patch23.
Single sign-on is broken in Chrome because some cookies are being set by ICWS without the SameSite attribute.
Currently in development I'm having to set a flag when running Chrome, to hack around the issue, but that of course isn't really an option for production. We may have to resort to proxies and rewriting, but I'd like to solve it a better way.
Is there a workaround for this in PureConnect?
Here's what Chrome says:
Because a cookie's SameSite attribute was not set or is invalid, it defaults to SameSite=Lax, which will prevent the cookie from being sent in a cross-site request in a future version of the browser. This behavior protects user data from accidentally leaking to third parties and cross-site request forgery.
Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use.
Specify SameSite=Strict or SameSite=Lax if the cookie should not be sent in cross-site requests
And it identifies the following cookies:
ININ-AUTHENTICATION-SESSION-URL
icws_<id goes here>
I also found the following information in the PureConnect release notes. I'm guessing this is a known issue, but nothing is said about a workaround.
Cross-site ICWS requests need samesite=none in response header
Release : 2020r2, 2020r1 Patch 1, 2019r4 Patch 7, 2019r3 Patch 13, 2019r2 Patch 20, 2019r1 Patch 26, 2018r5 Patch 32, 2018r4 Patch 38
Issue : IC-156993
Issue type : Bug
Project : IC
Component : Session Manager
|
Description : Due to chrome updating to use samesite=Lax as the default, there is a need to force "samesite=none" and "secure" in the https response header value of set-cookie if and only if this is a cross-site requst and the origin begins with https.
Details : This is needed so that ICWS session cookies are set properly for cross-site requests. It is necessary to keep certain products (such as PC4SF) from breaking communication with the CIC server.
Caveats and Warnings : None
Installation Instructions : None
|
Associated products: Customer Interaction Center, ICWS, Session Manager
Thanks!
#Integrations#ICWS
#pureconnect------------------------------
Daniel Boggs
CHRISTIAN BROADCASTING NETWORK
------------------------------