Menu
Our application uses cookies to remember user login. Every auth API call we make, the browser attaches server-set HTTPonly cookie with the API request and gets authenticated. This behaviour seems to be broken in safari after Mojave release.
I read about the cross-site cookie security implemented by safari and our server team added SameSite=None;Secure while setting the cookie. Even after that, it still doesn't work.
Set-Cookie: my_cookie=XXXXX; path=/; secure; HttpOnly; SameSite=None
Please advise or provide links from people who actually found a solution..
446
Fixing common warnings The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.
The Chrome Platform Status trackers for SameSite=None and Secure will continue to be updated with the latest launch information. Mozilla has affirmed their support of the new cookie classification model with their intent to implement the SameSite=None ; Secure requirements for cross-site cookies in Firefox.
Enable the new SameSite behavior If you are running Chrome 91 or newer, you can skip to step 3.) Go to chrome://flags and enable (or set to "Default") both #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Restart Chrome for the changes to take effect, if you made any changes.
Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
Versions of Safari on MacOS 10.14 and all browsers on iOS 12 are affected by this bug which means that SameSite=None is erroneously treated as SameSite=Strict, e.g. the most restrictive setting.
I've published some guidance in SameSite cookie recipes on either:
SameSite=None; Secure and those that don't.SameSite=None for those requests.
82
This is an issue also in Safari 14. Safari is not sending third-party cookies by default anymore. This is because they introduced Privacy Preference: "Prevent cross-site tracking" which is turned on by default. So if you set your cookies with SameSite=None; Secure they still don't be set and sent cross-domain.
29
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
