Chrome doesn't send cookies after redirect

Question

In node.js (using Hapi framework) I\'m creating link for user to allow my app reading user account. Google handles that request and asks about giving permissions. Then Googl

Answer 1

This issue is caused by hapi-auth-cookie not dealing yet with isSameSite (new feature of Hapi). We can set it manually, eg.

const server = new Hapi.Server(
    connections: {
        state: {
            isSameSite: 'Lax'
        }
    }
);

But please consider that, by default you have 'Strict' option, and in many cases you may not want to change that value.

Answer 2

A recent version of Chrome was displaying this warning in the console:

A cookie associated with a cross-site resource at was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.

My server redirects a user to an authentication server if they didn't have a valid cookie. Upon authentication, the user would be redirected back to my server with a validation code. If the code was verified, the user would be redirected again into the website with a valid cookie.

I added the SameSite=Secure option to the cookie but Chrome ignored the cookie after a redirect from the authentication server. Removing that option fixed the problem, but the warning still appears.

Answer 3

A standalone demo of this issue: https://gist.github.com/isaacs/8d957edab609b4d122811ee945fd92fd

It's a bug in Chrome.