Breaking Changes with Google Chrome 80 (sameSite=None; secure cookie settings) (Updated March 12 2020)

A heads-up, Chrome has announced a browser update, to be included in the Chrome 80 release, scheduled for February 2020. The version will change the default cross-domain (SameSite) behavior of cookies. The change is a security enhancement that will affect Sisense deployments that rely on cookies, such as those that use cross-domain embedded IFrames or SisenseJS.
The Chrome Platform Status post available here, explains the changes to the SameSite attribute of cookies, and its effect on cross-domain behavior. The change is explained there as follows: ““SameSite” is a reasonably robust defense against some classes of cross-site request forgery (CSRF) attacks, but developers currently need to opt-into its protections by specifying a SameSite attribute. In other words, developers are vulnerable to CSRF attacks by default. This change would allow developers to be protected by default, while allowing sites that require state in cross-site requests to opt-in to the status quo’s less-secure model. In addition, forcing sites to opt-in to SameSite=None gives the user agent the ability to provide users more transparency and control over tracking.”
Additional information on this change is available on the Chromium blog.

What Does This Mean for Me?

Web applications that included cross-domain embedded dashboards (for example using IFrames) that rely on cookies might no longer work, when accessed using the Google Chrome browser, until configured to use the “sameSite=None” attribute and to use secure browser access (HTTPS).

What Do I Need to Do?

If you're a customer of the Sisense Cloud Managed Service, no action is required.  The Sisense Cloud Managed Service has been updated to support Google Chrome version 80.
If you are not a customer of the Sisense Cloud Managed Service, do the following:
  1. Configure your system to use HTTPS instead of HTTP. Instructions for configuring SSL for Sisense are available here.
  2. Update your system using one of the different fix options we have provided:
    1. Windows and Linux service pack: Upgrading to a Service Pack: a Windows service pack (upgrade to Windows 8.1.1 SP1 or any later version) and Linux service pack (upgrade to Linux 8.0.3 or any later version) is now available.
      Following upgrading your Sisense deployment, u
      se the Admin settings available at Admin -> System Configuration -> Settings -> Security settings, and change the value of the "Support Cross Site Cookies for Embedding" to “none”.
    2. Windows only fix script: A fix script is available for Windows version 7.2 and later, and a manual fix is available for Windows version 6.7.1 - 7.1.3. 

 

Windows Resolution:

We have provided resolutions for all Windows versions starting from version 6.7.1. You can choose between multiple resolution options:
  1. Upgrading to Windows 8.1.1. service pack, or later version - available for all Windows versions.
  2. Version 7.2 and later: installing one of the fix scripts.
  3. Versions 6.7.1 - 7.1.3: manual guidelines for resolution

Installing 8.1.1. Service pack 1 or later version: this option is available for all Sisense Windows versions

These are the instructions for installing version 8.1.1 service pack 1 or late versions:
  1. Ensure your system is configured to use HTTPS.
  2. Download the latest Sisense version for windows.
  3. Upgrade your Sisense servers to the latest Sisense version, using the regular Sisense upgrade process.
  4. Use the Admin Screen -> System Configuration -> Settings -> Security Settings option to configure your system to use "Support Cross Site Cookies for Embedding"=None. 
  5. All users will be automatically logged out after clicking on the Save button.  This can be done manually by running an API request using the POST method by /authentication/admin/logout_all_users. This command must be run by an Administrator or Sys. Admin user.
  6. Sisense deployments running version 7.2 and later with a load balancer or any other Proxy server (all client-side requests go through SSL termination; Proxy forwarding all requests to api-gateway using HTTP) must be configured to force Secure flag in all cookies by changing the Force secure cookies attribute available for update using the Configuration Manager.
  7. These settings are retained following upgrading to future versions.

 

Installing a fix script: this option is available for versions 7.2 and later:

For versions 7.2 and later, two script versions are available:
  1. A version for Sisense deployments running version 7.2 and later, available for download here
  2. A version for Sisense deployments running version 7.2 and later with a Load Balancer or any other Proxy server (all client-side requests go through SSL termination; Proxy forwarding all requests to api-gateway using HTTP), available for download here.
Instructions for running the scripts are as follows:
  1. Configure your system to use HTTPS.
  2. Download the relevant script.
  3. Unzip the script.
  4. From the command line (using Administrator permissions), run: run_patch.cmd
  5. The script will configure the system to use “sameSite” value “none”.   
  6. The script for deployments using a load balancer or proxy servers will additionally force the Secure flag for all cookies.
  7. All users can be logged out by running API request using the POST method by /authentication/admin/logout_all_users path under Admin or System Admin user. After their next login, every user will be generated a new cookie with the correct values.
  8. Note: Upgrading to version 8.1.1 service pack 1, or later releases, will revert the changes applied by the script. You will need to reconfigure your system as follows: Use the Admin Screen -> System Configuration -> Settings -> Security Settings option to configure your system to use "Support Cross Site Cookies for Embedding"=None.

Manual fix: This option is available for versions 6.7.1 and later until 7.2 (not including 7.2):

For versions 6.7.1 and later until version 7.2 (not including version 7.2), a manual process is provided.  The process is relevant for all Sisense deployments, including those using a load balancer, or SSL/TLS termination proxy.
The following manual steps are available to handle the Chrome changes:
  1. Configure the system to use HTTPS.
  2. Define Cookie Security according to the instructions in the documentation here.
  3. Manually update the Web.Config file located at: C:\Program Files\Sisense\PrismWeb as follows:
    1. In the <system.web> element, add the following element to set the Secure flag on an ASP.NET Session Cookie: 
         <httpCookies httpOnlyCookies="true" requireSSL="true" />
    2. In the <system.webServer> <rewrite> element, add the following elements with SameSite=None (to allow cross-domainembedding) or SameSite=Lax value. 
   <outboundRules>
      <clear />
      <rule name="Add SameSite" preCondition="No SameSite">
        <match serverVariable="RESPONSE_Set_Cookie" pattern=".*" negate="false" />
        <action type="Rewrite" value="{R:0}; SameSite=None" />
      </rule>
      <preConditions>
        <preCondition name="No SameSite">
          <add input="{RESPONSE_Set_Cookie}" pattern="." />
          <add input="{RESPONSE_Set_Cookie}" pattern="; SameSite=None" negate="true" />
        </preCondition>
      </preConditions>
    </outboundRules>
                3. Replace <anonymousIdentification cookieless="UseCookies" enabled="true" /> by
 <anonymousIdentification cookieless="UseCookies" enabled="true" cookieRequireSSL="true"/> 
     4. Manually update authCookieRequireSsl key the <securityConfiguration> element in security.config file located at C:\Program Files\Sisense\PrismWeb\App_Data\Configurations as follows:
authCookieRequireSsl="true"
     5. Logout all users by removing the device key in the user's DB model. After login, every user will get a new cookies with correct values. Please contact our support for any question.
    6. Note: these instructions are relevant for versions up till 7.1.3. After you upgrade to a later version, you will need to apply the relevant fix for the version you are upgrading to. Starting from version 8.1.1 service pack 1, the option "Support Cross Site Cookies for Embedding" is available from the admin screen.  

Linux Solution:

Linux versions starting from version 8.0.3 support the sameSite attribute.
These are the steps to follow:
  1. Upgrade your deployment to version 8.0.3 or later, using the regular Linux upgrade process.
  2. Ensure your system is configured to use HTTPS
  3. Use the Admin Screen -> System Configuration -> Settings -> Security Settings option to configure your system to use "Support Cross Site Cookies for Embedding"=None.
  4. All users will be automatically logged out after clicking on the Save button.  This can be done manually by running an API request using the POST method by /authentication/admin/logout_all_users. This command must be run by an Administrator or Sys. Admin user.
  5. These settings are retained following upgrade.
These fixes have been verified to work with the Okta SSO provider. They do not yet work for the OneLogin SSO provider, as OneLogin has not yet added support for the sameSite cookie option, which will be required by Google Chrome version 80.  We expect OneLogin to be adding this support shortly, as the issue will affect many of their other customers.

Regards,
Ahuva Hazan-Fuchs
Product Director, Platform & Cloud

Additional Resources