> For any flows involving POST requests, you should test with and without a long delay. This is because both Firefox and Chrome implement a two-minute threshold that permits newly created cookies without the SameSite attribute to be sent on top-level, cross-site POST requests (a common login flow).
Perhaps the type of login flow they’re getting to is that of an OIDC form_post response method? An auto-posting form is returned from the identity provider, which is then submitted to the relying party.
At least in .NET Core I observe a cookie for the OIDC nonce (.AspNetCore.OpenIdConnect.Nonce - defends against replay attacks) and a correlation cookie (.AspNetCore.OpenIdConnect.Correlation - tracks session through the redirect handshake). Both of these are created during the login redirect sequence and not intended to live beyond it.
The correlation cookie is set to SameSite=None here
Anybody have some background on this note?