Menu
I added SameSite=None; Secure; to set-cookie. but the cookie was not set and I can’t log in to my site.
response.writeHead(200, {
'Content-Type': 'application/json',
'Set-Cookie': 'token=' + token + '; SameSite=None; Secure; Expires=' + time.toUTCString() + '; Path=/' + '; Domain=' + hostname,
'csrf-token': csrfToken
});
I reviewed the cookie in developer tools under Application>Storage>Cookies and see more details. it showed a warning message:
this set-cookie was blocked because it was not sent over a secure connection
chrome blockes cookies, Because I work on the development environment and i send http request. But this test on Firefox browser logs in correctly.
I put the word secure inside the cookie and it worked properly, but because the word secure must be used next to samesite = none for cross-origin, otherwise the cookie will be blocked.
My question is why when I use secure, only the Chrome browser blocks the cookie, but it is true in other browsers.
And that if I do not use secure I can not test the payment gateway because it blocks Chrome cross-orign if I do not use secure...
515
Fixing common warnings The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.
A New Model for Cookie Security and Transparency Developers must use a new cookie setting, SameSite=None , to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections.
To prepare, Android allows native apps to set cookies directly through the CookieManager API. You must declare first party cookies as SameSite=Lax or SameSite=Strict , as appropriate. You must declare third party cookies as SameSite=None; Secure .
Resolve this issue by updating the attributes of the cookie: Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts. Note that only cookies sent over HTTPS may use the Secure attribute.
My question is why when I use secure, only the Chrome browser blocks the cookie, but it is true in other browsers
I am not sure about other browsers but Chrome implements strategy of allowing cookies with secure attribute over secure connection as per this IETF draft.
While this draft is implemented for Chrome, it is not on Firefox which is why on Firefox in you go to about:config > network.cookie.sameSite.noneRequiresSecure, default value is false.
If you just need to do it for your local dev environment, You can retain the old behavior for cookies in chrome by disabling
I have to support legacy http clients, but if I make https:// origin secure , I can't set cookie from http, more over I can't access this cookie from http, my goal is to have SameSite=None, Secure on http and not secure on http:// origin, any ideas, instead of establishing protests near google office ?
Given that it is going to be standard in near future, I doubt you will be able to achieve this behavior for client applications, only route is to go secure, HTTPS.
Reference:
140
Sometome cookies wouldn't work as expected because Some cookies are misusing the sameSite attribute.
Cookie SomeCookie rejected cause of it has the sameSite=none attribute but it is missing the secure attribute. So any cookie that requests SameSite=None must marked as Secure.
Set-Cookie: product=pen; SameSite=None
For fixing this, you must add the Secure attribute to your SameSite=None cookies.
Set-Cookie: flavor=choco; SameSite=None; Secure
A Secure cookies will only sent to the server with an encrypted request over the HTTPS protocol.
Note: insecure sites (http:) can't set cookies with the Secure directive.
31
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
