javascriptcookiessamesitecsrf-token

Session cookie set `SameSite=None; Secure;` does not work

I added SameSite=None; Secure; to set-cookie. but the cookie was not set and I can’t log in to my site.

response.writeHead(200, {
  'Content-Type': 'application/json',
  'Set-Cookie': 'token=' + token + '; SameSite=None; Secure; Expires=' + time.toUTCString() + '; Path=/' + '; Domain=' + hostname,
  'csrf-token': csrfToken
});

I reviewed the cookie in developer tools under Application>Storage>Cookies and see more details. it showed a warning message:

this set-cookie was blocked because it was not sent over a secure connection

chrome blockes cookies, Because I work on the development environment and i send http request. But this test on Firefox browser logs in correctly.
I put the word secure inside the cookie and it worked properly, but because the word secure must be used next to samesite = none for cross-origin, otherwise the cookie will be blocked.
My question is why when I use secure, only the Chrome browser blocks the cookie, but it is true in other browsers. And that if I do not use secure I can not test the payment gateway because it blocks Chrome cross-orign if I do not use secure...

Solution

  • My question is why when I use secure, only the Chrome browser blocks the cookie, but it is true in other browsers

    I am not sure about other browsers but Chrome implements strategy of allowing cookies with secure attribute over secure connection as per this IETF draft.

    While this draft is implemented for Chrome, it is not on Firefox which is why on Firefox in you go to about:config > network.cookie.sameSite.noneRequiresSecure, default value is false.

    If you just need to do it for your local dev environment, You can retain the old behavior for cookies in chrome by disabling

    1. chrome://flags/#same-site-by-default-cookies
    2. chrome://flags/#cookies-without-same-site-must-be-secure

    I have to support legacy http clients, but if I make https:// origin secure , I can't set cookie from http, more over I can't access this cookie from http, my goal is to have SameSite=None, Secure on http and not secure on http:// origin, any ideas, instead of establishing protests near google office ?

    Given that it is going to be standard in near future, I doubt you will be able to achieve this behavior for client applications, only route is to go secure, HTTPS.

    Reference:

    1. https://web.dev/samesite-cookies-explained/#changes-to-the-default-behavior-without-samesite
    2. https://redmondmag.com/articles/2020/01/28/samesite-cookie-changes-break-apps.aspx