We want to set SameSite=strict for our Session Cookie for our application. But we have certain very special situations (IMS Deep Linking) where we want to allow an external site to POST to a very particular URL and use/maintain the logged-in status of a user. I have added a token parameter to re-establish the session without a Cookie so I can process the POST without needing the SESSION cookie - this may not be elegant but it works fine.
But then this POST handling code finishes its work and does a re-direct back to itself which causes the browser to issue a GET request. In the resulting GET request, the browser does not include the SESSION cookie.
This seems weird since the redirect is coming from the my server (i.e. not the external server).
So my question is whether the spec for SameSite expects a POST-ReDirect-GET sequence as a single operation that gets no cookies even though my system accepted the POST and the redirect came from my system?
I have worked around this by adding a token to the the GET url to do a second temporary bypass of the need for a Cookie and then from that point forward everything works well - the user is still logged in from that point forward. The cookie was always there - it was just not send on the POST or the redirected GET.
I am using Chrome in all this. Since my FireFox ignores SameSite for my current version - the cookies just come in like before SameSite (for a little while).
I think our implementation will use SameSite=strict and a whitelist of URLs that are allowed to do the bypass trick and those URLs will need to have a special token to do the bypass and those URLs protect themselves in other ways than just login cookie.
But I would like to make sure that I am basing my design on a solid understanding of SameSite=strict and POST-Redirect.
P.S. There is no point in telling me to rewrite the other side of the interaction so as to not require a ForeignSite POST in a browser to work. It is a spec that I don't control wth lots of implementations out there in the wild that I need to interoperate with.
