4

We have a webapp that embed another webapp on a different site in an iFrame. This had been in place for a few years already. Last week we started to get error reports from some users. After investigation we found that on Chrome 84.0.4147.125, released Aug 10, 2020, the cookies in the iFrame are not sent back to the server. The issue only occurs since this chrome version. Older versions and other browsers are working fine.

What has changed in this release that could have this impact?

scharette
  • 605
  • 1
  • 9
  • 25

1 Answers1

3

Thanks @Eyal.D for pointing to the solution.

As stated in https://stackoverflow.com/a/45095345/1401409 :

Chrome now blocks cookies without SameSite set, so you need to explicitly set it to samesite=none.

I was able to fix this by adding the following in my httpd configuration:

Header edit Set-Cookie ^(.*)$ $1;HttpOnly;Secure;SameSite=None

I would add, as stated in https://stackoverflow.com/a/57874184/1401409 :

If you own the somesite.com you can opt-out of this policy by setting SameSite policy to None and deal with the risk of CSRF attacks by a doing Double Submit Cookie.

scharette
  • 605
  • 1
  • 9
  • 25
  • For those using tomcat This can be fixed by adding `` in META-INF/context.xml under Context section. also make sure to set `secure=true` attribute in HTTPS connector in server.xml – Kapil Aug 19 '20 at 11:11
  • I had success with that. Using session_cookie_set_param in PHP 7.3 doesn’t give expected results. – Marco Marsala Oct 02 '20 at 22:15
  • how do I add the same settings in an webview mobile app ? – Lint Oct 10 '22 at 20:14
  • 1
    @Lint, I'm not familiar with webview, but from what I see it's a client. You would need to to put these directives on the server. – scharette Oct 11 '22 at 18:24