Session cookie set `SameSite=None; Secure;` does not work

旧街凉风 提交于 2021-01-27 07:20:46

问题


I added SameSite=None; Secure; to set-cookie. but the cookie was not set and I can’t log in to my site.

response.writeHead(200, {
  'Content-Type': 'application/json',
  'Set-Cookie': 'token=' + token + '; SameSite=None; Secure; Expires=' + time.toUTCString() + '; Path=/' + '; Domain=' + hostname,
  'csrf-token': csrfToken
});

I reviewed the cookie in developer tools under Application>Storage>Cookies and see more details. it showed a warning message:

this set-cookie was blocked because it was not sent over a secure connection

chrome blockes cookies, Because I work on the development environment and i send http request. But this test on Firefox browser logs in correctly.
I put the word secure inside the cookie and it worked properly, but because the word secure must be used next to samesite = none for cross-origin, otherwise the cookie will be blocked.
My question is why when I use secure, only the Chrome browser blocks the cookie, but it is true in other browsers. And that if I do not use secure I can not test the payment gateway because it blocks Chrome cross-orign if I do not use secure...


回答1:


My question is why when I use secure, only the Chrome browser blocks the cookie, but it is true in other browsers

I am not sure about other browsers but Chrome implements strategy of allowing cookies with secure attribute over secure connection as per this IETF draft.

While this draft is implemented for Chrome, it is not on Firefox which is why on Firefox in you go to about:config > network.cookie.sameSite.noneRequiresSecure, default value is false.

If you just need to do it for your local dev environment, You can retain the old behavior for cookies in chrome by disabling

  1. chrome://flags/#same-site-by-default-cookies
  2. chrome://flags/#cookies-without-same-site-must-be-secure

I have to support legacy http clients, but if I make https:// origin secure , I can't set cookie from http, more over I can't access this cookie from http, my goal is to have SameSite=None, Secure on http and not secure on http:// origin, any ideas, instead of establishing protests near google office ?

Given that it is going to be standard in near future, I doubt you will be able to achieve this behavior for client applications, only route is to go secure, HTTPS.

Reference:

  1. https://web.dev/samesite-cookies-explained/#changes-to-the-default-behavior-without-samesite
  2. https://redmondmag.com/articles/2020/01/28/samesite-cookie-changes-break-apps.aspx



回答2:


Sometome cookies wouldn't work as expected because Some cookies are misusing the sameSite attribute. Cookie SomeCookie rejected cause of it has the sameSite=none attribute but it is missing the secure attribute. So any cookie that requests SameSite=None must marked as Secure.

Set-Cookie: product=pen; SameSite=None

For fixing this, you must add the Secure attribute to your SameSite=None cookies.

Set-Cookie: flavor=choco; SameSite=None; Secure

A Secure cookies will only sent to the server with an encrypted request over the HTTPS protocol.

Note: insecure sites (http:) can't set cookies with the Secure directive.



来源:https://stackoverflow.com/questions/63534843/session-cookie-set-samesite-none-secure-does-not-work

易学教程内所有资源均来自网络或用户发布的内容,如有违反法律规定的内容欢迎反馈
该文章没有解决你所遇到的问题?点击提问,说说你的问题,让更多的人一起探讨吧!