When a user logs into the Aeon web interface, a SessionID is created for that user and stored in a session cookie that will allow the user to remain logged into the Aeon system for the duration of their web session. However, after the recent SameSite cookie changes rolled out by Google Chrome, logged-in Aeon users may experience issues remaining logged into the Aeon system each time a request is submitted from an external website (i.e., from a website outside of the Aeon web pages, such as a library catalog or finding aid) due to the web browser blocking the Aeon session cookie.
Configuring Aeon Session Cookie Persistence Options
As of Aeon 5.2, the WebCookieSameSite customization key is used to mitigate these log-in persistence issues by setting a SameSite value on the Aeon session cookie that will prevent the cookie from being blocked by the web browser in certain cases when placing Aeon requests from external websites. This key is located under Web Interface | System in the Aeon Customization Manager and can have three possible values that will persist the Aeon session cookie under three different sets of conditions:
None: Sets the SameSite property on the Aeon session cookie to None allowing users to skip the Aeon login screen if the external website has been configured to use HTTPS.Note: If the external website is configured to use HTTP, the SameSite cookie property will be overridden for security purposes and set to Lax even if this key is set to None, meaning that users will only skip the Aeon login screen if the external website is hosted under the same domain as the Aeon web pages.
- Lax: Sets the SameSite property on the Aeon session cookie to Lax allowing users to skip the Aeon login screen only if the external website is under the same domain as the Aeon web pages.
- Strict: Sets the SameSite cookie property on the Aeon session cookie to Strict forcing users to log back into Aeon from any external website even if it is under the same domain as the Aeon web pages.