How to fix "This Set-Cookie was blocked due to user preferences" in Chrome? (Stackoverflow SSO Login / Ajax CORS request)

Question

It seems that the recent update of Chrome to version 83.0.4103.116 brought a change to the Cookie handling.

I am providing a single-sign-on for my users that signs them in into several websites. Similar to Stackoverflow I am doing an AJAX request with Jquery:

crossDomain: true, 
xhrFields: { withCredentials: true },

And in PHP I allow the domain:

// needed for cross-domain request
header('Access-Control-Allow-Origin: https://www.example.com');
header('Access-Control-Allow-Credentials: true');

However, now it does not work anymore.

In the dev console I found a new warning with the tooltip:

"This Set-Cookie was blocked due to user preferences"

How to fix this?

Update:

I just see that the Single-Sign-On of Stackoverflow is not working anymore either!

PS: A related question suggest to tell your users to change the Chrome settings, from my POV, I'd like to avoid this. Just imagine SO informing millions of users to enable the Cookies to do a single-sign-on...

Answer 1

If you can only replicate this in Incognito and Pierre Pretorius's answer didn't help, you are probably being hit by a change in Chrome 83 where third party cookies are blocked by default in Incognito mode. See https://angel.co/today/stories/chrome-83-arrives-with-redesigned-security-settings-third-party-cookies-blocked-in-incognito-21796

I don't think you can do much to change this, and Google intend to making this the default behaviour in the future: https://www.theverge.com/2020/1/14/21064698/google-third-party-cookies-chrome-two-years-privacy-safari-firefox

EDIT: Google will not implement this until at least 2023 https://blog.google/products/chrome/updated-timeline-privacy-sandbox-milestones/

Answer 2

The site that is passing the set-cookie HTTP header also needs to pass the SameSite as None and also Secure, else the cookie is not saved and is ignored.

Set-Cookie: qa_session=...; SameSite=None; Secure

Before you do, please read the security implications: https://blog.heroku.com/chrome-changes-samesite-cookie

PHP code example (source):

function setcookieSameSite($name, $value, $expire, $path, $domain, $secure, $httponly, $samesite="None")
{
  if (PHP_VERSION_ID < 70300) {
        setcookie($name, $value, $expire, "$path; samesite=$samesite", $domain, $secure, $httponly);
  }
  else {
      setcookie($name, $value, [
          'expires' => $expire,
          'path' => $path,
          'domain' => $domain,
          'samesite' => $samesite,
          'secure' => $secure,
          'httponly' => $httponly,
      ]);
   }
}