socket.io sets cross-site cookie without same-site attribute

Question

I have a socket.io application and recently I got this warning:

A cookie associated with a cross-site resource at URL was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.

You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.`

Apparently it is something that Chrome will be updating in the future: SameSite warning Chrome 77

I already tried this but to no apparent avail : io = io.listen(server, { cookie: false });

I think the cookie doesn't do anything, so how can I disable io from setting it?

Answer 1

As per the issue reported in Socket IOs' github repo, that cookie is not used for anything; you can disable it by setting cookie: false in the server options.

But what you have missed is setting {cookie: false} option when initializing the socket, not http.listen. The solution provided below worked for me that uses express as the server.

var server = require('http').createServer(express());
var io = require('socket.io')(server, { path:"/some/path", cookie: false });