1

I know it is a big topic in the internet, but I could not find any working solution till now.

Some of my clients integrate my website thourgh a iframe. In Firefox/Chromium everything works fine after I set the SameSite attribute to None and added Secure to it.

Now there is also a IE11 in the world and I don't know what to do else to make it my cookies right, so the IE11 accepts them.

This is what the IE11 gets:

Set-Cookie: JSESSIONID=CFA2E0643F0CA81B68B4A984D7FC429D; Path=/; Secure; HttpOnly;SameSite=None;Secure
Set-Cookie: JSESSIONID=CFA2E0643F0CA81B68B4A984D7FC429D; Expires=Mon, 05-Oct-2020 15:19:46 GMT; Path=/; Secure; HttpOnly;SameSite=None;Secure
Set-Cookie: my-cart=f5e5dcea-8d9e-33a6-b228-9e7e6dc04f4a; Expires=Wed, 03-Mar-2032 06:19:46 GMT; Path=/; Secure; HttpOnly;SameSite=None;Secure
Set-Cookie: sessionExpiry=; Max-Age=3605; Expires=Mon, 05-Oct-2020 15:19:51 GMT; Path=/; Secure;SameSite=None;Secure
Set-Cookie: anonymous-consents=%5B%5D; Max-Age=31536000; Expires=Tue, 05-Oct-2021 14:19:46 GMT; Path=/;SameSite=None;Secure
Set-Cookie: cookie-notification=NOT_ACCEPTED; Max-Age=360000000; Expires=Wed, 03-Mar-2032 06:19:46 GMT; Path=/; Secure;SameSite=None;Secure

As you can see, the Path starts with /. The Expires is set, if needed and the time is correct.

Is there anything else what I missed?

Mr.Tr33
  • 838
  • 2
  • 18
  • 42

1 Answers1

1

As you're using Windows Server 2012, the root cause of the issue is that SameSite cookie is only supported in IE 11 on Windows 10 RS3 (2017 Fall Creators Update) and newer. So it doesn't work on your machine.

More information to reference:

(1) caniuse website

(2) SameSite Browser Compatibility

(3) Change status of SameSite cookie

To make cross domain cookies work with IE, I found some similar threads: link1, link2, and they all point to using P3P policy. You can refer to this answer for the detailed information about how to use P3P policy.

Yu Zhou
  • 11,532
  • 1
  • 8
  • 22
  • As you can see in my request response, I already set SameSite to None. And I don't have a ASP.net application, it is a Java application with a tomcat and a apache. – Mr.Tr33 Oct 06 '20 at 08:31
  • You say your clients integrate your website thourgh an iframe. Do they use .NET framework? I know you have set SameSite to None. But the point is that only setting the `SameSite` to `None` is not enough, we also need to set `cookieSameSite` to `None` (if they use .NET framework). Correct me if they're not using .NET framework and I'll try to find if there's other solution. – Yu Zhou Oct 06 '20 at 08:59
  • I don't know what they use, I will ask. But if I create a simple .html file on my desktop and open the same link in a iframe, it is not working either. – Mr.Tr33 Oct 06 '20 at 09:32
  • Which version of OS are you using? From the doc, SameSite cookie is only supported in IE 11 on Windows 10 RS3 (2017 Fall Creators Update) and newer. You can check [this link](https://caniuse.com/same-site-cookie-attribute) and [this link](https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#Browser_compatibility) for more information. – Yu Zhou Oct 08 '20 at 08:53
  • For my testing I used a Windows Server 2012. Is there any other solution to get an iframe running with foreign cookies? – Mr.Tr33 Oct 08 '20 at 12:20