问题
Our application uses cookies to remember user login. Every auth API call we make, the browser attaches server-set HTTPonly cookie with the API request and gets authenticated. This behaviour seems to be broken in safari after Mojave release.
I read about the cross-site cookie security implemented by safari and our server team added SameSite=None;Secure while setting the cookie. Even after that, it still doesn't work.
Set-Cookie: my_cookie=XXXXX; path=/; secure; HttpOnly; SameSite=None
Please advise or provide links from people who actually found a solution..
回答1:
Versions of Safari on MacOS 10.14 and all browsers on iOS 12 are affected by this bug which means that SameSite=None is erroneously treated as SameSite=Strict, e.g. the most restrictive setting.
I've published some guidance in SameSite cookie recipes on either:
- Using two sets of cookies to account for browsers that support
SameSite=None; Secureand those that don't. - Sniffing the user agent for incompatible browsers and not serving
SameSite=Nonefor those requests.
回答2:
For applications coded in Ruby (specifically, Rails, Sinatra, or anything atop Rack), the RailsSameSiteCookie gem solves this and related issues quite nicely. The code reads like a near translation of the pseudocode in the Chromium discussion without the brittle regex's.
来源:https://stackoverflow.com/questions/58525719/safari-not-sending-cookie-even-after-setting-samesite-none-secure