It seems that the recent update of Chrome to version 83.0.4103.116 brought a change to the Cookie handling.
I am providing a single-sign-on for my users that signs them in into several websites. Similar to Stackoverflow I am doing an AJAX request with Jquery:
crossDomain: true,
xhrFields: { withCredentials: true },
And in PHP I allow the domain:
// needed for cross-domain request
header('Access-Control-Allow-Origin: https://www.example.com');
header('Access-Control-Allow-Credentials: true');
However, now it does not work anymore.
In the dev console I found a new warning with the tooltip:
"This Set-Cookie was blocked due to user preferences"
How to fix this?
Update:
I just see that the Single-Sign-On of Stackoverflow is not working anymore either!
PS: A related question suggest to tell your users to change the Chrome settings, from my POV, I'd like to avoid this. Just imagine SO informing millions of users to enable the Cookies to do a single-sign-on...
If you can only replicate this in Incognito and Pierre Pretorius's answer didn't help, you are probably being hit by a change in Chrome 83 where third party cookies are blocked by default in Incognito mode. See https://angel.co/today/stories/chrome-83-arrives-with-redesigned-security-settings-third-party-cookies-blocked-in-incognito-21796
I don't think you can do much to change this, and Google intend to making this the default behaviour in the future: https://www.theverge.com/2020/1/14/21064698/google-third-party-cookies-chrome-two-years-privacy-safari-firefox
EDIT: Google will not implement this until at least 2023 https://blog.google/products/chrome/updated-timeline-privacy-sandbox-milestones/
The site that is passing the set-cookie
HTTP header also needs to pass the SameSite
as None
and also Secure
, else the cookie is not saved and is ignored.
Set-Cookie: qa_session=...; SameSite=None; Secure
Before you do, please read the security implications: https://blog.heroku.com/chrome-changes-samesite-cookie
PHP code example (source):
function setcookieSameSite($name, $value, $expire, $path, $domain, $secure, $httponly, $samesite="None")
{
if (PHP_VERSION_ID < 70300) {
setcookie($name, $value, $expire, "$path; samesite=$samesite", $domain, $secure, $httponly);
}
else {
setcookie($name, $value, [
'expires' => $expire,
'path' => $path,
'domain' => $domain,
'samesite' => $samesite,
'secure' => $secure,
'httponly' => $httponly,
]);
}
}
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With