[SOLVED] Flask-Session cookie works on other browsers for ip address & domain, but for chrome it only works on ip address

Flask-Session cookie works on other browsers for ip address & domain, but for chrome it only works on ip address

I found a question with this same problem, except it was 7 years old, and they had the opposite issue, where chrome worked for their domain, but not IP. I need this application to work on the domain, not the ip, which is unfortunate. If I Have some basic code like this: Flask:

app = Flask(__name__)
from dotenv import load_dotenv
load_dotenv()
SECRET_KEY = os.getenv('FLASK_APP_SECRET_KEY')
SESSION_TYPE = 'filesystem'
app.config.from_object(__name__)
Session(app)
CORS(app)

@app.route('/give', methods = ['GET'])
@cross_origin(supports_credentials=True)
def user_make(id):
    session['Hi'] = 'There'
    return 'ye'

@app.route('/take', methods = ['GET'])
@cross_origin(supports_credentials=True)
def user_load(id):
    return session['Hi']

reactjs:

let data = new FormData()
return axios
      .get('12.34.56.78' + '/give', data, {
        headers: {
          "Content-Type": "multipart/form-data",
        },
      }).then(
return axios
      .take('12.34.56.78' + '/take', data, {
        headers: {
          "Content-Type": "multipart/form-data",
        },
      }))

On a server with ip='12.34.56.78' and domain 'example.com': When using the domain or ip on safari, the output is

'there'

for both

however, on chrome, for ip the output is

'there'

however, for domain, the output is

Key Error

edit: Some more info: This is on an AWS ec2 ubuntu server, which is running on port 80 for the frontend and 5000 for the backend. I connected the ip address to the domain name with AWS Route 53... just in case this is relevant. To access the frontend, one can go to the ip or the domain, whereas to access the backend, one must go to ip:5000

Any more info needed?

Is this fixable? Thanks!

Solution

I think the problem is with how google chrome manage the cookies. It's the 'SameSite' attribute. Back on July 14th, 2020, Google started gradually rolling out a new browser policy with a few major changes. One that treats cookies as SameSite=Lax by default, if no SameSite attribute is specified. The other deprecates and removes the use of cookies with the SameSite=None attribute that did not include the Secure attribute. That means that any cookie that requests SameSite=None but is not marked Secure is now being rejected. This means that the front-end can’t contact the back-end and the site is not working. To fix it, you just need to make sure that when your _SESSION_ID cookie is created it includes the SameSite=None and Secure attributes.

P.S.1: Based on the article of Caleb. Back-end is Ruby on Rails but i don't think this is an issue. P.S.2: Before change anything, try other chrome-based browsers like Vivaldi, Comodo or even the new Microsoft Edge.