Safari not sending cookie even after setting SameSite=None; Secure

Question

Our application uses cookies to remember user login. Every auth API call we make, the browser attaches server-set HTTPonly cookie with the API request and gets authenticated

Answer 1

For applications coded in Ruby (specifically, Rails, Sinatra, or anything atop Rack), the RailsSameSiteCookie gem solves this and related issues quite nicely. The code reads like a near translation of the pseudocode in the Chromium discussion without the brittle regex's.

Answer 2

Versions of Safari on MacOS 10.14 and all browsers on iOS 12 are affected by this bug which means that SameSite=None is erroneously treated as SameSite=Strict, e.g. the most restrictive setting.

I've published some guidance in SameSite cookie recipes on either:

• Using two sets of cookies to account for browsers that support SameSite=None; Secure and those that don't.
• Sniffing the user agent for incompatible browsers and not serving SameSite=None for those requests.