Description
Cookies that do not include any SameSite property has up till now been treated by browsers as if no SameSite policy was precent (= SameSite=None).
With the Chromium 80 update, the browser will start treating cookies without the SameSite property as SameSite=Lax. (Ref: https://www.chromium.org/updates/same-site).
This behavioral browser change breaks many applications, especially applications using OpenID Connect for authentication/authorization (since the OpenID Connect spec relies on IFRAMEs for certain features - Single-Sign-Out etc).
Such applications now need to explicitly include the SameSite=None property to work with Chromium 80.
But then another problem arises: Cookies with the SameSite=None property is misinterpreted in certain versions of Safari on Mac and iOS (SameSite=None is interpreted as SameSite=Strict !!!).
For this reason, user-agent sniffing is unfortunately required to make OpenID connect dependent applications work with Chromium 80 and certain Safari versions at the same time.
The code to detect user-agents that suffers from this SameSite=None defect can be found in the following article:
https://www.thinktecture.com/identity/samesite/prepare-your-identityserver/
I think Microsoft.Security.Owin.Cookies should include this user-agent detection in the CookieAuthenticationHandler class.
When CookieAuthenticationOptions.CookieSameSite = SameSiteMode.None, the cookie should omit the SameSite property when a browser with the SameSite=None defect is detected.
Until this is in place, I can't use the CookieAuhenticationMiddleware or CookieAuhenticationHandler classes, I needed to make my own implementations based on existing source code.
Let me know if a PRs are accepted as I have already implemented it for our applications.