27

It seems that the recent update of Chrome to version 83.0.4103.116 brought a change to the Cookie handling.

I am providing a single-sign-on for my users that signs them in into several websites. Similar to Stackoverflow I am doing an AJAX request with Jquery:

crossDomain: true, 
xhrFields: { withCredentials: true },

And in PHP I allow the domain:

// needed for cross-domain request
header('Access-Control-Allow-Origin: https://www.example.com');
header('Access-Control-Allow-Credentials: true');

However, now it does not work anymore.

In the dev console I found a new warning with the tooltip:

"This Set-Cookie was blocked due to user preferences"

chrome warning tooltip

How to fix this?



Update:

I just see that the Single-Sign-On of Stackoverflow is not working anymore either!

enter image description here



PS: A related question suggest to tell your users to change the Chrome settings, from my POV, I'd like to avoid this. Just imagine SO informing millions of users to enable the Cookies to do a single-sign-on...

sideshowbarker
  • 81,827
  • 26
  • 193
  • 197
Avatar
  • 14,622
  • 9
  • 119
  • 198
  • 1
    @Jay Blanchard: I specifically said it's not about changing the Chrome settings (which is an accepted answer in the other question). And it does not deal with single-sign-on, Ajax and PHP. - Please be so kind and remove the close flag. – Avatar Jun 25 '20 at 14:54
  • Did you research all of the duplicates and find that none pertained to you? – Jay Blanchard Jun 25 '20 at 14:57
  • 1
    Of course. E.g. https://stackoverflow.com/search?q=chrome+Set-Cookie+blocked+user+preferences or google https://www.google.com/?q=This+Set-Cookie+was+blocked+due+to+user+preferences ... And again, just to point out the significance, all SO/Stackexchange users will be affected. – Avatar Jun 25 '20 at 15:00
  • Have you determined that the cause is actually the user's setting, and you want to circumvent that setting. Or that the user is allowing them, but you are still getting that blocked message, and cannot figure out why its showing the blocked message when the user has not set to block cookies? – IncredibleHat Jun 25 '20 at 15:02
  • 1
    I have the default settings: Allow sites to save and read cookie data ON. **Block third parties OFF**. The login worked until yesterday, now it stopped with the warning above. Try to login to SO and then head over to superuser.com (or another site where you have a second account). You are not logged-in anymore. – Avatar Jun 25 '20 at 15:06
  • 2
    Appears that the clean-install default settings in Chrome are to block 3rd party cookies (all). Which may be a ramp up for their SameSite requirements in a later version update. I guess this is to protect users from themselves, which does pose a bit of a problem when chrome decides one of your own cookies is a 3rd party cookie (cookie set from a domain that is not the current domain). – IncredibleHat Jun 25 '20 at 15:13
  • Shouldn't this be asked on meta instead? – Funk Forty Niner Jun 25 '20 at 15:18
  • Here is a screen recording that shows that the SSO login of Stackoverflow/Stackexchange/Superuser is not working anymore: https://github.com/q2apro/gifs/blob/master/2020-06-25%20Chrome%20SSO%20Login%20Stackoverflow-Superuser.gif – Avatar Jun 25 '20 at 15:18
  • 2
    @FunkFortyNiner No, we need a technical solution. There will be many websites/developers running into the same issue in the next days. – Avatar Jun 25 '20 at 15:19
  • However you are overlooking that you can still sign in on each site with the same user. So blocking 3rd party cookies is only negatively affecting 'ease of use' where you are automatically signed in on all, when you sign in on one. Users who want that ease, can relax their default cookie settings. However it does not impede them from still signing in on each site correctly. – IncredibleHat Jun 25 '20 at 15:25
  • 1
    Was this occurring in Incognito? Chrome has a separate setting for blocking third-party cookies in Incognito. I was hung up on this for hours today and then when I used a regular (non-Incognito) window, it worked fine. – jessepinho Jul 28 '20 at 11:41
  • It happens in standard mode and incognito mode. – Avatar Jul 29 '20 at 06:18
  • wow, did not know that one can hover that yellow triangle! This is saved so much of my time! – Konstantin Vahrushev Sep 13 '22 at 10:20

5 Answers5

16

If you can only replicate this in Incognito and Pierre Pretorius's answer didn't help, you are probably being hit by a change in Chrome 83 where third party cookies are blocked by default in Incognito mode. See https://angel.co/today/stories/chrome-83-arrives-with-redesigned-security-settings-third-party-cookies-blocked-in-incognito-21796

I don't think you can do much to change this, and Google intend to making this the default behaviour in the future: https://www.theverge.com/2020/1/14/21064698/google-third-party-cookies-chrome-two-years-privacy-safari-firefox

EDIT: Google will not implement this until at least 2023 https://blog.google/products/chrome/updated-timeline-privacy-sandbox-milestones/

AML
  • 312
  • 3
  • 10
5

The site that is passing the set-cookie HTTP header also needs to pass the SameSite as None and also Secure, else the cookie is not saved and is ignored.

Set-Cookie: qa_session=...; SameSite=None; Secure

Before you do, please read the security implications: https://blog.heroku.com/chrome-changes-samesite-cookie

PHP code example (source):

function setcookieSameSite($name, $value, $expire, $path, $domain, $secure, $httponly, $samesite="None")
{
  if (PHP_VERSION_ID < 70300) {
        setcookie($name, $value, $expire, "$path; samesite=$samesite", $domain, $secure, $httponly);
  }
  else {
      setcookie($name, $value, [
          'expires' => $expire,
          'path' => $path,
          'domain' => $domain,
          'samesite' => $samesite,
          'secure' => $secure,
          'httponly' => $httponly,
      ]);
   }
}
Pierre Pretorius
  • 2,869
  • 22
  • 21
  • Still, there is something that my browser does not like. The cookie comes as this: Set-Cookie: JSESSIONID=somevaluehere; path=/my-site-path;SameSite=None;Secure but the browser still says that it doesn't want to set it. Note: the re/rsp is within an iframe. – Victor Oct 16 '20 at 12:51
  • 2
    I have fixed it: the issue was that I was testing in Incognito mode in Chrome. Also, there was a default setting in Chrome that was specifying that Incognito mode should not accept 3rd Party cookies. So, I have enabled the option and the cookies are now saved. – Victor Oct 16 '20 at 14:26
  • for PHP 5.6.40 If you have no problem rebuilding the PHP binary, I managed to port this feature from PHP 7.3 to PHP 5.6.40, and there is now a pull request. See full answer here: https://stackoverflow.com/a/64960472/1641763 – Nadir Nov 22 '20 at 23:28
3

Select the first option in "Cookies and other site data" in Chrome settings which is "Allow all Cookies", It worked for me.

Check this Image

Zankhana Patel
  • 29
  • 2
3

This happens when you might have "Block third-party cookies" enabled in the browser. You can check this in:

Settings → Site Settings → Cookies and site data → Block third-party cookies

or Also available via:

chrome://settings/content/cookies

Chnage this setting to "Allow all cookies"

sharad jain
  • 1,471
  • 13
  • 9
0

This is due to a major change in cookie handling to help mitigate CSRF. Following this draft: https://datatracker.ietf.org/doc/html/draft-west-first-party-cookies-07

The workarounds above won't work (the function setcookieSameSite) because you need to set the samesite flag on the session identifier (I can see the PHPSESSID has this message too ie "This Set-Cookie was blocked due to user preferences"). Or maybe by trying on session_set_cookie_params path? (untested).

In peculiar for PHP 5.6 branch, you need to set the session's cookie attribute.

btw It seems the qa_session cookie in your screenshot is a random cookie, for this one it is ok to use @Pierre-Pretorius answer, it will work.

for PHP 5.6.40, see my other answer here: https://stackoverflow.com/a/64960472/1641763

Community
  • 1
  • 1
Nadir
  • 695
  • 8
  • 12