Switching SuperOffice session cookie from Lax to None. Why?

Hi, today Online will change its own ASP.NET session cookie from using SameSite=Lax to SameSite=None, as informed in email to application owners.

In the email it also indicates that if we need to we can do similar change for Onsite customers by setting the sessions are element in web.config to use cookieSameSite="None".

For our apps we're already working on using SameSite=None, since WE are a third-party when running inside a webpanel in SuperOffice. In that case I totally see why SameSite=None is needed.

However, I don't understand what problem changing SuperOffice's SameSite from Lax to None. What is the scenario where that fixes an issue..? Is that for when SuperOffice is hosted inside an iframe on another site? Does it have anything to do with Service, Customer Center or Chat? Or something with SuperID?

I'm sure there is a good reason, and chances are we're going to do this change for our Onsite customers, I just don't see why.

What am I not getting?

Hi Frode,

it's been an eventful week... This was done as a workaround for SuperOffice Service screens using rest run as a web panel inside the sales client, it is a temporary workaround that gives some a bit more time to fix. We will make sure to be very clear when we plan to remove this again. 

Av: Margrethe Romnes 23. jan 2020

Thanks :)

Av: Frode Lillerud 23. jan 2020