Samesite attribute on Octopus cookies

I am trying to build some integration on top of the Octopus Deploy API to help my operations team initiate deployments currently configured in our on-prem hosted instance of Octopus Deploy. My application is a REACT app hosted on a separate domain to octopus. The intent of my application is when user’s need to interact with Octopus, they first get authenticated by POST-ing to the /integrated-challenge endpoint which will log them using the already configured NTLM authenticated between their browser/workstations and our Octopus instance.

The issue I’m having is that when I get the response from /integrated-challenge my browser (Chrome/Edge) blocks the Octopus cookies because the samesite attribute is not set and defaults to “lax”. This means that subsequent requests to the Octopus API return a 401 as the cookies are not transmitted.

Is there a way to configure the samesite attribute for Octopus cookies? Could Octopus server be made to add samesite=none if requests were coming from domains on CORs whitelist?

Hi Dav,

Thanks for getting in touch! I brought this up with the team and it looks like there was already some work done internally to allow support for specifying the samesite attribute. It looks like this was more of a blanket setting change as apposed to your proposed samesite=none for whitelisted domains.

I’m currently following up with the developers to see if there is any chance of getting this change finished and implemented. I will note, this feature was never implemented and I can’t guarantee if/when/how it will be implemented, I’m just starting the discussion with the team to get some further information.

I will keep this conversation open and get back to you as soon as I have some more concrete information.

Best regards,

1 Like