Logo Questions Linux Laravel Mysql Ubuntu Git Menu
HTML CSS JAVASCRIPT SQL PYTHON PHP BOOTSTRAP JAVA JQUERY R React Kotlin
 

This Set-Cookie didn't specify a "SameSite" attribute and was default to "SameSite=Lax" - Localhost

Tags:

google-chrome

cookies

session-cookies

samesite

I'm a front-end developer working on an application where the login/ response put a Session-Cookie on the client. The later request will be authorized since the user "logged in".

Starting from Chrome 80

All cookies without a SameSite attribute will be treated as if they had SameSite=Lax specified. In other words, they will be restricted to first-party only (server and client on the same domain). If you need third-party cookies (server and client on different domains), then they must be marked with SameSite=None.

Restricted to first-party by default

Set-Cookie: cname=cvalue; SameSite=Lax

Allowed in third-party contexts

Set-Cookie: cname=cvalue; SameSite=None; Secure

For my application, I want the default behavior. My client and server running on the same domain in production. But in development I'm working from localhost (different domain).
Up until now, chrome had special flag under chrome://flags - SameSite by default cookies. I could Enable this flag on my development machine and the login passed. And in production, I didn't need this flag because I wanted the default behavior.

Starting from Chrome 91

The SameSite by default cookies flag was removed. This means that from this version I can't login into my app, without deploying it to production.

Does anybody knows how can I get the Session-Cookie while working from localhost. But still keeping the security of SameSite=Lax. If possible with client only changes, but if needed also with server changes.

Chrome DevTools - SameSite error message Chrome DevTools - SameSite error message

Chrome 80 Flags menu - These flags removed in Chrome 91 Chrome 80 Flags menu - These flags removed in Chrome 91

Update

I tried to solve this by making the server use SameSite=None (development only). This causes a different error: Connection isn't secure. This is because when using SameSite=None you are required to add the suffix Secure and of curse use HTTPS connection. Secure connection has its own problems like having to pay for a Certificate in development.

like image 244
Gil Epshtain Avatar asked Jun 03 '21 12:06

Gil Epshtain

People also ask

How do I fix missing SameSite attribute?

The warning appears because any cookie that requests SameSite=None but is not marked Secure will be rejected. To fix this, you will have to add the Secure attribute to your SameSite=None cookies. A Secure cookie is only sent to the server with an encrypted request over the HTTPS protocol.

How do I add attributes to SameSite cookie?

To prepare, Android allows native apps to set cookies directly through the CookieManager API. You must declare first party cookies as SameSite=Lax or SameSite=Strict , as appropriate. You must declare third party cookies as SameSite=None; Secure .

What is cookie with SameSite attribute none?

A New Model for Cookie Security and Transparency Developers must use a new cookie setting, SameSite=None , to designate cookies for cross-site access. When the SameSite=None attribute is present, an additional Secure attribute must be used so cross-site cookies can only be accessed over HTTPS connections.

1 Answers

Workaround: Downgrade Chrome

This is not a solution! just a temporary workaround for anybody like me how got his work halted due to this update.

  • Uninstall Chrome Go to "Add or remove programs" and uninstall Chrome. Notice that user data like cookies and saved browser passwords may be lost.
  • Download Chrome v90 from slimjet.com, or from any other site. Then install Chrome.
  • Prevent auto-update Chrome, according to this StackOverflow solution:
    open C:\Program Files (x86)\Google\Update
    rename the file GoogleUpdate.exe to GoogleUpdate2.exe.
    This will cause Chrome to not find the update package.
  • Update Flags - Open Chrome and type: chrome://flags
    Search #same-site-by-default-cookies and Disable the flag
like image 124
Gil Epshtain Avatar answered Oct 19 '22 22:10

Gil Epshtain
Sign in to Comment

Related questions

Clear HTML5 placeholder attribute text on focus in Chrome
Keydown/keyup events not detecting the Escape key being pressed on input text fields in Chrome
Copy Image to Clipboard
What happens when an AJAX request gets a "302 Moved" response?
Problems updating Google Translate cookie in Chrome
Where do notifications show on Chrome on Android?
long-poll jQuery.ajax() fails to callback after phone sleeps?
Uploading blobs as Multi-part upload causes net::ERR_FILE_NOT_FOUND on Chrome after 500mb
Chrome on iOS; back/forward doesn't work with history.pushState?
Autocomplete = "new password" not working and "use password for" dropdown list still shown
Table sticky columns scroll bug Chrome
XMLHttpRequest in google-chrome is not reporting progress events
Selecting through Status bar and deleting get merged with next element
Browser does not ask to save password Angular application
Chrome Profiler: What happens during 'resource loading' phase of network request?
html title attribute not showing as tooltip in Chrome
jsPDF doesn't work in Chrome, only Firefox & Safari
Google chrome Upload Speed vs Firefox
Behaviour of mobile app browsers with Google sessions and Account Chooser

Donate For Us

If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!