WCP Security Scan Issues related to Microsoft.Owin.Security.OpenIdConnect package #564
Description
Hi Team,
The recent WCP security scan flagged the SameSite attribute of cookies as "Lax" instead of "None" for the Imagine Cup project. The source code uses the Microsoft.Owin.Security.OpenIdConnect NuGet package, which sets SameSite to "None". This mismatch suggests the package behavior may differ from expectations. The development team should review the NuGet package implementation and verify cookie settings during sign-in.
Imagine cup source code: ImagineCup
Package source code: Microsoft.Owin.Security.OpenIdConnect
The WCP Security Scan report Samesite attribute set to "None". Error Description: SameSite attribute is not set to "strict" or "lax"
We observed in our Imagine cup source code, SignIn Methods using the Microsoft.Owin.Security.OpenIdConnect NuGet package.
We reviewed the NuGet package source code and found that the SameSite attribute is set to "None". This setting triggered the security scan error. To resolve the issue, the package team should update the SameSite property to "Lax" or "Strict" for cookies.
Please let us know how we can proceed on this.