Version 2021

Configure SameSite Cookies for MicroStrategy Web and MicroStrategy Mobile

The information in this topic applies to MicroStrategy Mobile, as well as MicroStrategy Web.

Starting in MicroStrategy 2021 Update 6, you can manage SameSite cookies for MicroStrategy Web and Mobile in the MicroStrategy Web and Mobile Administrator pages, respectively. See Configure the SameSite Flag for MicroStrategy Deployments for managing SameSite cookies in MicroStrategy 2021 Update 5.2 and older.

SameSite prevents the browser from sending cookies along with cross-site requests. The main goal is to mitigate the risk of cross-origin information leakage. It also provides protection against cross-site request forgery attacks. Possible values are as follows:

  • Lax Provides a reasonable balance between security and usability for websites that want to maintain user’s logged-in session after the user arrives from an external link. The default option for SameSite is Lax, including when no option is selected.

  • Strict Prevents the cookie from being sent by the browser to the target site in all cross-site browsing contexts, even when following a regular link.

  • None Allows cookies in all cross-site browsing contexts.

An HTTPS connection is a prerequisite for the None selection. If the SameSite cookie attribute is set to None, the associated cookie must be marked as Secure.

A SameSite attribute of None is recommended in the following scenarios:

  • There are cross-domain compatibility issues.

  • MicroStrategy Web and MicroStrategy Library are deployed in a domain other than the one displayed in the user's address bar.

  • You are using Security Assertion Markup Language (SAML), OpenID Connect (OIDC,) and third party authentication.

The cookie flag changes vary depending on your server:

JSP Web and Mobile Servers

Starting in MicroStrategy 2021 Update 6, you can manage cookie flags using the Web/Mobile Administrator page.

  1. Access the MicroStrategy Web Administrator page. (How?)

  2. In the left pane, select Security.

  3. Based on your requirements, select the appropriate SameSite attribute. The SameSite attribute is unselected by default.

  4. Click Save and restart the Web server.

ASP Web and Mobile Servers

See Chrome v80 Cookie Behavior and the Impact on MicroStrategy Deployments for managing SameSite cookies in all versions.