Additional Configuration for Chrome 80.

July 6, 2022 | KB: 1014094
Web Client 10, Forms 10, Federated Search 10, WebLink 10

Summary

With Google Chrome 80 or later, you may be unable to sign out of Laserfiche web applications if you are signed in via single sign-on in Laserfiche Directory Server. Additionally, you may notice that you are unable to authenticate with Directory Server if the Laserfiche web application is embedded in an iframe. The issue can occur when in a cross domain scenario and can affect the Laserfiche web client, Laserfiche WebLink, Laserfiche Forms, Laserfiche Federated Search, and Laserfiche Directory Server

Note: This article was written for Chrome version 80. As the issue described in it does not occur when using recommended practices for securing connections, Laserfiche will not be maintaining the instructions in this article through any subsequent changes in newer versions of Chrome.

Cause

Starting in Chrome version 80, Chrome is changing the behavior such that all the cookies that do not have SameSite specified are treated as if they have "Lax" values for SameSite. Chrome will also only deliver cookies with SameSite set to "None" if they are also marked "Secure."

Resolution

For Laserfiche web client 10.4.2, a patch is available that resolves the issue. Please see the following article: List of Changes for Laserfiche Client 10.4.2 Update 1.

For Laserfiche Directory Server 10.4.2, a patch is available that resolves the issue. Please see the following article: Laserfiche Directory Server 10.4.2 update 3

For Laserfiche Directory Server 10.4.3, a patch is available that resolves the issue. Please see the following article: Laserfiche Directory Server 10.4.3 Update 2

Workaround

If a patch is not yet available for an affected product, you can manually modify web.config files for the affected applications. Locate the section for the appropriate application and follow the listed steps. Be aware that the workarounds involve turning on secure cookies, which requires configuring the web application for HTTPS over SSL/TLS.

Laserfiche Forms 10.4.2 with Laserfiche Server authentication

  1. Open the Forms site's web.config file in a text editor. The default path is C:\Program Files\Laserfiche\Laserfiche Forms\Forms\Web.config.
  2. Under <system.web>, look for the <authentication> block.
  3. Within the <authentication> block, modify the <forms> element, set the cookieSameSite attribute and requireSSL attribute to the following values: 
    <forms loginUrl="~/Account/LogOn" timeout="20160" name=".LFFORMSAUTH" cookieSameSite="None" requireSSL="true" />
  4. Save your changes to the web.config file.

Laserfiche Forms 10.4.2 with Directory Server authentication or Laserfiche Federated Search 10.4.2

  1. Open the Forms site's web.config or Federated Search's search site web.config file in a text editor. Default web.config paths for each application are as follows:
    • Forms: C:\Program Files\Laserfiche\Laserfiche Forms\Forms\Web.config
    • Federated Search: C:\Program Files\Laserfiche\FederatedSearch\SearchSite\Web.config
  2. Look for the <system.web> block.
  3. Within the <system.web> block, add the following line: 
    <httpCookies requireSSL="true" httpOnlyCookies="true" sameSite="None" />
  4. Save your changes to the web.config file.

Laserfiche web client 10.4.2 or Laserfiche WebLink 10

Note: This workaround requires that you have the URL Rewrite module installed for the IIS hosting the web client or WebLink. If the feature is not already enabled, please download the extension from the official Microsoft website.

  1. Open the web client or WebLink web.config file in a text editor. Default web.config paths for each application are as follows:
    • Web Client: C:\Program Files\Laserfiche\Web Access\Web Files\web.config
    • WebLink: C:\Program Files\Laserfiche\WebLink\WebLink\Web Files\Web.config
  2. Look for the <system.web> block.
  3. Within the <system.web> block, add the following line: 
    <httpCookies requireSSL="true"/>
  4. Under <system.webserver>, look for the <rewrite> block.
  5. Within the <rewrite> block, add the following line: 
     <outboundRules configSource="outboundRules.config"/>
  6. Save your changes to the web.config file.
  7. Within the same directory as the web client's web.config file (e.g., C:\Program Files\Laserfiche\Web Access\Web Files), create a new file in a text editor and name the file outboundRules.config.
  8. Save the following to outboundRules.config: 
     
<outboundRules>
  <rule name="Set SameSite to None in the middle">
    <match serverVariable="RESPONSE_Set_Cookie" pattern="(.*)SameSite=([a-zA-Z]+);(.*)" negate="false" />
    <action type="Rewrite" value="{R:1}SameSite=None;Secure;{R:3}" />
  </rule>
  <rule name="Set SameSite to None at the end">
    <match serverVariable="RESPONSE_Set_Cookie" pattern="(.*)SameSite=" negate="false" />
    <action type="Rewrite" value="{R:1}SameSite=None;Secure" />
  </rule>
  <rule name="Add SameSite if it does not exist">
    <match serverVariable="RESPONSE_Set_Cookie" pattern=".*"/>
    <conditions logicalGrouping="MatchAll">
      <add input="{R:0}" pattern="(.*)SameSite=" negate="true"/>
    </conditions>
    <action type="Rewrite" value="{R:0}; SameSite=None;Secure" />
  </rule>
</outboundRules>
  9. Save the changes to outboundRules.config.

Related Links

1014117 List of Changes for Laserfiche Client 10.4.2 Update 1.

1014122 Turning off Secure Cookies for Laserfiche Web Client 10.4.2.

1014146 Laserfiche Directory Server 10.4.2 update 3

1014147 Laserfiche Directory Server 10.4.3 Update 2