KB484005: Configure the SameSite Flag for MicroStrategy Deployments

Note: If you are using Strategy 2021 Update 7 or newer, use the following procedures to configure SameSite cookies, instead of the procedures in this article.

• Configure SameSite Cookies for Library
• Configure SameSite Cookies for MicroStrategy Web and MicroStrategy Mobile

Upon the release of Chrome Web Browser version 80 (Chrome v80) in February, Google aggressively enforced cross-site security. Google is early in its new security actions compared to other vendors.
The new security enforcement altered the logic for browser-to-server cookie transmission, which affected any enterprise software product that supports HTTP. This includes not only enterprise software, but major infrastructures software components such as proxies, web application servers, load balancers, application firewalls, and other network and application components. As such, software vendors now have to make numerous accommodations in a compressed timeframe to support the new Chrome version. 

What specifically is changing?

Chrome v80 rolled out on February 17, 2020. This new version introduced two significant changes that modified the behavior of the SameSite cookie:

• The default value for the SameSite cookie attribute is "Lax."
• If the SameSite cookie attribute is set to "None" then the associated cookie must be marked as "Secure."

Changing the default value of the SameSite attribute restricts how the browser can send the cookie. The restriction only allows cookies to be sent by the browser for the same domain or those sites which are considered to be "top-level" navigation. 
The second change allows cookies set to "None," which was the previous default, to only be transmitted if HTTPS is enabled.

What is Strategy doing about this?

Strategy is working diligently to provide product updates and guidance to support customers using the newest Chrome version. These changes were first introduced in Strategy 2019 Update 5 and Strategy 2020 Update 1 to resolve issues caused by the SameSite cookie updates. It's recommended that customers upgrade to the latest available release and apply the solutions below for Strategy Web JSP/ASP and Strategy Library.
Customers are strongly encouraged to test their Strategy deployments with the Chrome v80 Beta browser. Additionally,  Strategy will be working closely with customers that leverage the Strategy Cloud Platform to support an automated update process.

What is the impact of embedded Strategy Web applications?

Strategy has determined that this change affects embedded deployments of Strategy Web and Strategy Library when they are deployed in a domain other than the one displayed in the user's address bar.
Embedded deployments include all instances where the Strategy product is accessed via an iframe or when it is not considered a part of the browser's top-level navigation (i.e. is not the link in the address bar of the browser).
In affected deployments, cookie incompatibility could prevent users from authenticating into Strategy.

What is the impact on SAML?

SAML configured with SP initiated POST Binding is known to be affected if the Strategy application servers are in a different domain from the SAML authentication Identity Provider domain. SAML with GET/Redirect Binding is not affected.

What do I do if my environment is affected?

In Strategy 2019 and above, you can resolve the cross-domain compatibility issues by opting into the current SameSite default value. The following instructions provide steps to opt-in for the JSP version of Strategy and for the ASP version of Strategy.
Embedded developments of Strategy 2019 and Strategy Web 2020 that are affected by the cross-domain issues above have the following options available to opt into the current default value of SameSite in Strategy Web.
Note: If the options identified below do not resolve the issues related to the Chrome v80 change, please contact Strategy Technical Support so they can evaluate your specific deployment environment.

Solution for Strategy Web JSP

Prerequisite: The application server must support the SameSite cookie changes. Ensure you are running Tomcat Web Server version 9.0.30 or later or version 8.5.50 or later with HTTPS configured.
Strategy 2021 Update 6 and older

1. If context.xml doesn't already exist in the following folder location, create it:
   

   C:\Program Files (x86)\Common Files\Strategy\Tomcat\apache-tomcat-9.0.31\webapps\Strategy\META-INF\context.xml

   
   
2. Add the following content to context.xml:
   

   <Context>	  <CookieProcessor sameSiteCookies="None"/>	</Context>

   
   
3. Save the file.
4. Edit sys_defaults.xml, which is typically located at:
   

   C:\Program Files (x86)\Common Files\Strategy\Tomcat\apache-tomcat-9.0.31\webapps\Strategy\WEB-INF\xml\sys_defaults.xml

   
   Change the

   alwaysSecureCookie

   value to

   1

   . If the

   alwaysSecureCookie

   parameters is not found, skip this step.
   
5. Restart the Tomcat Web Server.

Strategy 2021 Update 7 and newer
See Configure SameSite Cookies for MicroStrategy Web and MicroStrategy Mobile for more information.
Note: If you want to continue modifying the files manually or via script follow steps 1-5 above. In addition, comment out the following parameters from

sys_defaults.xml

Strategy/WEB-INF/xml

<!--<pr des="Cookie attribute SameSite" dt="string" n="sameSite" scp="server" v="UNSET" />

Solution for Strategy Web ASP

Prerequisite: The application server must support the SameSite cookie changes. Please upgrade the .NET Framework to v4.8 and make sure that the latest updates have been applied. See KB articles that support SameSite in .NET Framework on the Microsoft Docs site for more information.
Strategy 2021 Update 5.2 and older

1. Navigate to the following location:
   

   C:\Program Files (x86)\Strategy\Web ASPx\web.config

   
   
2. Create a backup of the web.config file. 
3. Open the web.config file.
4. Add the following parameters:
   In the

   <sessionState />

   tag, add

   cookieSameSite="None"

   
   In the

   <httpCookies />

   tag, add

   sameSite="None"

   
   
5. Contact your IT team to configure and enable SSL and apply the necessary certificates on the IIS server.
6. Go to SSL Settings and select the Require SSL checkbox.
7. Restart the IIS Web Server.

Strategy 2021 Update 6 and newer
Follow the same instructions for Update 5.2 and older, as shown above.

Solution for Strategy Library

Prerequisite: Upgrade Tomcat to 9.0.30 (and up) or 8.5.50 (and up).
Strategy 2021 Update 6 and older

1. If context.xml doesn't already exist in the following folder location, create it:
   

   C:\Program Files (x86)\Common Files\Strategy\Tomcat\apache-tomcat-9.0.30\webapps\StrategyLibrary\META-INF\context.xml

   
   
2. Add the following to context.xml:
   

   <Context>	  <CookieProcessor sameSiteCookies="None"/>	</Context>

   
   
3. Uncomment or copy the

   cookieProcessorFilter 

   declaration highlighted below in

   C:\Program Files (x86)\Common Files\Strategy\Tomcat\apache-tomcat-9.0.30\webapps\StrategyLibrary\WEB-INF\web.xml.

   
   

   
   	<init-param>
   		<param-name>sameSite</param-name>
   		<!-- UNSET, STRICT, LAX, NONE -->
   		<param-value>NONE</param-value>
   	</init-param>

   
   
4. The sameSite param-value above is NONE to permit embedding. Other valid values include UNSET, LAX, or STRICT.
5. Ensure your Tomcat is configured to support HTTPS.
6. Restart Tomcat.

Strategy 2021 Update 7 and newer
See Configure SameSite Cookies for Library for more information.
Note: If you want to continue modifying the files manually or via script follow steps 1 to 6 above. In addition, comment out the following parameters from

configDefaults.properties

StrategyLibrary/WEB-INF/classes/config

#cookie.att.secure = false

Solution for Reverse Proxy - Apache HTTP Server

Prerequisite: You already have an Apache HTTP Server configured as a reverse proxy in front of Strategy Web and Library.
Add the following to Apache's configuration file (usually httpd.conf):

1. Load the mod headers module, if not already loaded.
   
• LoadModule headers_module modules/mod_headers.so
2. Add these header declarations to

   <IfModule headers_module>...</IfModule>

   tags:
   

• Header edit Set-Cookie ^(.*)$ $1;SameSite=None

• Header edit Set-Cookie ^(.*)$ $1;Secure

Sample httpd.conf:

LoadModule headers_module modules/mod_headers.so
...
<IfModule headers_module>
  ...
  Header edit Set-Cookie ^(.*)$ $1;SameSite=None
  Header edit Set-Cookie ^(.*)$ $1;Secure
</IfModule>

1. Enter chrome://settings/content/cookies in the address bar.
2. Enable Allow sites to save and read cookie data (recommended).
3. Disable Block third-party cookies.

Can I disable the new Chrome 80 SameSite cookie behavior in my browser?

Yes, you can disable the Chrome 80 SameSite behavior in your browser. Disabling this will revert the behavior of the Chrome Browser to the current defaults.
Note: The flag #same-site-by-default-cookies has been removed from chrome://flags as of Chrome 91, and the behavior is now enabled by default. Please see SameSite Updates from Google for more details.

• Enter

  Chrome://flags

  in the address bar.
• In the search box, enter SameSite. Three settings related to SameSite cookies appear.
• Set the value of SameSite by default cookies to Disabled.
• Click Relaunch. 
  

What do I do if I'm a Cloud customer?

To assist Strategy Cloud customers, Strategy will facilitate implementation of the recommended Strategy Web options.  

Why is my Safari browser not behaving properly?

Older versions of Safari use default settings that are not compatible with the SameSite cookie changes. Please ensure that you are running the latest Safari browser version for your operating system and the latest version of the operating system for your computer.

What other vendors will be affected?

The list below provides links to articles that explain how other key vendors may be impacted by Chrome v80.

• AWS
• Microsoft (Azure, Office 365)
• SAP  
• Oracle
• Salesforce
• OKTA
• Ping Identity
• Siteminder
• ADFS
• ESRI