Google browser single sign on failed

1. version

2. problem description

Single sign on of Google browser version 80 and above failed, jump to the login page, and other browsers are normal.

3. cause analysis

Single point failure due to cookie problem.

Since the security policy has been modified in the latest version of Chrome (80.0) and above, the default SameSite policy does not allow cookies to be sent across sites, so single sign on will fail.

4. solutions

The latest version of Chrome browser (80.0) and above does not allow cookies to be sent across sites, which will cause single sign on failure.

Judgment basis for cross station:

The cross site is judged by Public Suffix List.

The two URLs, the content of the top-level domain name and the sub top-level domain name (hereinafter referred to as public suffix + 1) are the same, which is the same site:

• Top level domain name: the longest suffix length matched from the Public Suffix List.

• Sub top level domain name: the field in front of the top level domain name.

Note: for the list of top-level domain names, see: list of top-level domain names

Example:

For example, www.sina.com The public suffix + 1 is sina.com.cn, www.sohu.com The public suffix + 1 is sohu.com.cn, the two are different, so they do not belong to the same site; Another example is nanzhuang.taobao.com's public suffix + 1 is taobao.com, nvzhuang.taobao The public suffix + 1 is also taobao.com, so they are the same site.

Note 1: this scheme is also applicable to other Google kernel browsers, such as the new edge (access edge://flags/ ）, 360 security browser (visit se://flags/), etc., but it is not applicable to Google kernel browser of version 91 and above.

Note 2: the solutions provided in this chapter are solved by modifying the settings of Google. Each computer visited needs to modify the settings of Google. The user experience is poor and it is not recommended; It is recommended to refer to the scheme in Chapter 4.

In the Google browser address bar, enter: chrome://flags/, And then enter "SameSite" in the search box to search and find "SameSite by default cookies" option, select "Disabled" on the right button, and restart Google browser. As shown in the following figure:

1. http access

Scheme 1: no cross station

Please refer to the cross station description in Chapter 2 of this article.

Ensure that the top-level domain name and sub top-level domain name of the two projects are the same, such as a.b.com and c.b.com, where ". com" is the top level and "b" is the sub top level.

Examples: bbs.fanruan.com, help.fanruan.com, the top-level domain name is. com, and the sub domain name is fanruan. These two projects will not have this problem.

Scheme 2: upgrade to HTTPS

After upgrading to HTTPS, refer to section 2 of this part.

2. HTTPS access

1) installing plug-ins

Plug in download please click: HTTPS_SameSite_Cross domain plug-in

See plug-in management for plug-in installation methods

2) specific steps

After setting cross domain single sign on, the project that needs single sign on can install "HTTPS_SameSite__Cross domain plug-in" and restart the project to realize cross site single sign on.

In the latest version 91 of Google, samesite cannot be turned off manually. All samesite properties will be turned on by default, and all single points will fail. However, the "HTTPS_SameSite__cross domain plug-in" will take effect normally.