7

I have this chat application that has been working for a while now, but all of a sudden it's giving me this issue on the client side:

Because a cookie's SameSite attribute was not set or is invalid, it defaults to SameSite=Lax,
which prevents the cookie from being set in a cross-site context. This behavior protects 
user data from accidentally leaking to third parties and cross-site request forgery.

Resolve this issue by updating the attributes of the cookie:
Specify SameSite=None and Secure if the cookie is intended to be set in cross-site contexts.
Note that only cookies sent over HTTPS may use the Secure attribute.

I'm using axios like this on my React client:

axios.defaults.withCredentials = true
axios.post('https://easytalkchatappv2.herokuapp.com/signin', {
      username: username,
      password: password
    }).then(res => {
      console.log(res.data)
})

I'm setting cookies using JWT by doing this in my Nodejs Express server inside the post request for /signin:

const user = {id: resp.insertedId}
const accessToken = await jwt.sign(user, process.env.ACCESS_TOKEN_SECRET)

res.cookie('token', accessToken)

I'm using cookie-parser as well. How do I add these SameSite and Secure attributes to the cookies?

tsnakejake
  • 187
  • 1
  • 2
  • 8
  • 1
    You can achieve this using CORS as middleware in your Node application: https://www.npmjs.com/package/cors https://expressjs.com/en/resources/middleware/cors.html There's also another similar question raised on Stack Overflow with an answer that may help: https://stackoverflow.com/questions/58270663/samesite-warning-chrome-77 – Jake B. Aug 01 '20 at 20:56

1 Answers1

6

You should be able to pass the 'secure' and 'sameSite' properties to the res.cookie method; like the below where x is replaced with the value you would like to use:

res.cookie('token', accessToken, { sameSite: x, secure: x })

As shown here in the Express documentation: https://expressjs.com/en/api.html#res.cookie

Jake B.
  • 436
  • 3
  • 6