Recently, Google has released the Chrome 80 to the Stable channel and the new web browser version is available for all desktop operating systems like Linux, Windows, Mac. and also mobile operating systems. Progress has also updated Sitefinity to ensure that the full set of capabilities is in perfect tune with the imminent changes to how the web browsers handle the cross domain cookies and continuous operations.
So, here let’s discuss the new requirements that are to be introduced in Chrome 80 and how Sitefinity CMS setup and configurations make these latest patches a must.
Desktop users may now check for the latest updates to update the web browser now, but the update should be distributed to most systems automatically. The big change in Chrome 80 is the enforcement of the new cookie classification system. Google also made plans to improve the cookie controls and predictions in the company’s browser through the SameSite cookie attribute. All the changes in the SameSite attribute are also aimed at tighter levels of security against the cross site request forgery.
Implementing Sitefinity Patches:
Sitefinity CMS is well equipped for cookie protection courtesy of the WebSecurity Module, which is introduced in V11 and also enhanced with the CSRF protection in the V12.1. the update in the Chrome 80 has a number of potential implications for the authentication, any third party integrations and the development setup and workflow that may be running that involves the cross domain cookies. The scope obviously will vary based on the version of Sitefinity that you are using.
Patches for this are available for all the versions of Sitefinity till v10.2. progress encourages everyone to be careful while upgrading as it depends on specific setup whether the patch is essential to operate it or just a choice that will keep the system future proofed and stable.
While speaking about the specific setups, some of the Sitefinity versions are more equal than others. In case you are using the 12.1 version or above, and you have enabled the WebSecurity module then it is fine, except if you are using the external OpenID Connect authentication provider. For versions older than 12.1, you need to review and also replace the cookies that you are using cross site for integrating with the external services.
The Sitefinity authentication model is also based on OpenID Connect Protocol and OAuth2. Besides the default options, you can enable the authentication via the external identity providers which support the OpenID Connect Protocol. If you are looking for some extra layer of extensibility, you have the support, right out of the box which will help you set up a number of external providers, for example. Microsoft, Google, social network accounts, ADFS and etc. for Sitefinity authentication.
The patches are recommended of you are using the OpenID Connect authentication in the multiple domains setup and only one multiple domain is used as a SSO identity provider for all the other domains.
The biggest advantage of using the recent Sitefinity 12.x version is that the out of the box cookie protection is completely compatible with the upcoming SameSite changes. The cookie protection is refined over several consecutive releases and it has been thoroughly tested, so that it matches the latest requirements.