14

I added SameSite=None; Secure; to set-cookie. but the cookie was not set and I can’t log in to my site.

response.writeHead(200, {
  'Content-Type': 'application/json',
  'Set-Cookie': 'token=' + token + '; SameSite=None; Secure; Expires=' + time.toUTCString() + '; Path=/' + '; Domain=' + hostname,
  'csrf-token': csrfToken
});

I reviewed the cookie in developer tools under Application>Storage>Cookies and see more details. it showed a warning message:

this set-cookie was blocked because it was not sent over a secure connection

chrome blockes cookies, Because I work on the development environment and i send http request. But this test on Firefox browser logs in correctly.
I put the word secure inside the cookie and it worked properly, but because the word secure must be used next to samesite = none for cross-origin, otherwise the cookie will be blocked.
My question is why when I use secure, only the Chrome browser blocks the cookie, but it is true in other browsers. And that if I do not use secure I can not test the payment gateway because it blocks Chrome cross-orign if I do not use secure...

mrbelane
  • 175
  • 1
  • 1
  • 7
  • "_it was not sent over a secure connection_". "_secure connection_" here means https schema, and the cookie is not accepted with http schema. – Teemu Oct 27 '20 at 16:32

2 Answers2

9

My question is why when I use secure, only the Chrome browser blocks the cookie, but it is true in other browsers

I am not sure about other browsers but Chrome implements strategy of allowing cookies with secure attribute over secure connection as per this IETF draft.

While this draft is implemented for Chrome, it is not on Firefox which is why on Firefox in you go to about:config > network.cookie.sameSite.noneRequiresSecure, default value is false.

If you just need to do it for your local dev environment, You can retain the old behavior for cookies in chrome by disabling

  1. chrome://flags/#same-site-by-default-cookies
  2. chrome://flags/#cookies-without-same-site-must-be-secure

I have to support legacy http clients, but if I make https:// origin secure , I can't set cookie from http, more over I can't access this cookie from http, my goal is to have SameSite=None, Secure on http and not secure on http:// origin, any ideas, instead of establishing protests near google office ?

Given that it is going to be standard in near future, I doubt you will be able to achieve this behavior for client applications, only route is to go secure, HTTPS.

Reference:

  1. https://web.dev/samesite-cookies-explained/#changes-to-the-default-behavior-without-samesite
  2. https://redmondmag.com/articles/2020/01/28/samesite-cookie-changes-break-apps.aspx
Community
  • 1
  • 1
Dipen Shah
  • 25,562
  • 1
  • 32
  • 58
  • The problem that I can't update clients which uses http, and can't redirect them. The "secure" attribute, makes cookie unusable on http origin, which is wrong i guess, i think it should allow to set separate "non secure" cookie in different storage. – zb' Nov 02 '20 at 00:55
  • I'm trying to send cookie cross site via payment gateway using header('Set-Cookie: cookie2=value2; SameSite=None; Secure', true); But once the payment is complete and user gets back to product page to order again, payment is getting done but the cart data (session) is being block by chrome. I don't understand what's wrong. – Dante Sep 20 '21 at 13:54
  • Not sure what do you mean by session is being blocked by chrome. Are you seeing cookie using developer tool? Do you have a site that I can take a look at? – Dipen Shah Sep 20 '21 at 14:02
  • Support for the `same-site-by-default-cookies` or the other flag on Chrome was removed, so the solution now is to use firefox https://piunikaweb.com/2021/06/14/google-chrome-flags-for-samesite-cookies-taken-away-after-update-v91/ – Bersan Nov 11 '22 at 22:06
4

Sometome cookies wouldn't work as expected because Some cookies are misusing the sameSite attribute. Cookie SomeCookie rejected cause of it has the sameSite=none attribute but it is missing the secure attribute. So any cookie that requests SameSite=None must marked as Secure.

Set-Cookie: product=pen; SameSite=None

For fixing this, you must add the Secure attribute to your SameSite=None cookies.

Set-Cookie: flavor=choco; SameSite=None; Secure

A Secure cookies will only sent to the server with an encrypted request over the HTTPS protocol.

Note: insecure sites (http:) can't set cookies with the Secure directive.

Nbody
  • 1,168
  • 7
  • 33
  • what to do if I just want to make my cookie continue to work in future chromium releases the same way as before (regardless secure, be crossdomain) ? – zb' Nov 03 '20 at 09:19
  • I think the official answer to your follow up question is "get the clients off HTTP", they *really* don't want to keep supporting non-SSL connections – Coderer May 28 '21 at 13:24
  • thanks for the **Note**. Any way though of making this work with http:: on development? – Shani Kehati Jul 26 '21 at 07:54
  • but i dont have https for my local development setup, how am I supposed to set a cookie if setting a cookie cross-site requires `SameSite=None` and `SameSite=None` requires `Secure=true`, this is ridiculous – Bersan Nov 11 '22 at 21:59