socket.io sets cross-site cookie without same-site attribute

Question

I have a socket.io application and recently I got this warning:

A cookie associated with a cross-site resource at URL was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.

You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.`

Apparently it is something that Chrome will be updating in the future: SameSite warning Chrome 77

I already tried this but to no apparent avail : io = io.listen(server, { cookie: false });

I think the cookie doesn't do anything, so how can I disable io from setting it?

No, since the update is planned somewhere Q2 of 2020 I haven't given it much thought since I posted here. — GeekPeek, Nov 13 '19 at 18:15

score 5 · Answer 1 · answered Dec 26 '19 at 07:55

5

As per the issue reported in Socket IOs' github repo, that cookie is not used for anything; you can disable it by setting cookie: false in the server options.

But what you have missed is setting {cookie: false} option when initializing the socket, not http.listen. The solution provided below worked for me that uses express as the server.

var server = require('http').createServer(express());
var io = require('socket.io')(server, { path:"/some/path", cookie: false });

answered Dec 26 '19 at 07:55

DinushaNT

1,137
6
17

3

This isn't true. The cookie is sometimes used to provide ELB (e.g. haproxy) stickiness when several parallel socket.io servers are available. – Daniel Aug 03 '20 at 05:48

socket.io sets cross-site cookie without same-site attribute

1 Answers1

Linked