The latest version of Chrome (85.0.4183.83) is removing my 3rd party cookies, although they are set as SameSite=None; secure; - how can this be, and am I the only one experiencing this?
They are also HttpOnly, if that matters, and it happens when setting the cookie through a Chrome Extension.
Chrome 85 seems to be removing 3rd party cookies set by Chrome Extensions, regardless of SameSite attribute. It doesn't seem to be documented, so it may be unintended.
Related
I am trying to load a page as an iframe. It loads correct on Firefox but the request fails on chrome.
JSESSIONID=.......; path=/idp; HttpOnly
Chrome rejects the request by avoiding to set cookie or something similar. I already tried it with an unsecure chrome but still issue exist.
A warning on Firefox:
Cookie “_idp_authn_lc_key” does not have a proper “SameSite” attribute value. Soon, cookies without the “SameSite” attribute or with an invalid value will be treated as “Lax”.
Also I changed chrome settings to allow cookies from 3rd party. I don't have any extensions on chrome (such as adblock or similar extensions).
The main issue seems to be the default value for samesite on chrome, which is Lax as a default when it is not available, but currently it is none on firefox.
Anybody has an idea how can I change the default on chrome?
We have web application with an iFrame, which needs a cookie to access our server. We have set this cookie with SameSite=None;Secure value, but the Chrome browser still filter out this cookie.
Filtered out cookie list:
The third cookie in this picture is filtered out. I thought cookies with "SameSite=None;Secure" should be send with request. What did I miss?
Check https://samesite-sandbox.glitch.me to see if your browser is enforcing the new defaults. If it's all green ✔, then it is. If there is any red or orange ✘ then something is affecting how cookies are set.
Check you do not have the setting enabled to block third-party cookies, e.g. go to chrome://settings/content/cookies and ensure "Block third-party cookies" is off.
Extensions may also affect cookies. Try testing in an incognito window or a fresh Chrome profile with no extensions installed.
I am trying to make a CORS request with credentials(Cookies attached) and Chrome is not attaching the Cookie to my request. I have set the cookie to a sub-domain of the existing page and i could observe it is set successfully from the Cookie manager.
I do not have this problem with Chrome 78th version(latest version). But for the previous versions, I have this problem(I have checked 75 and 77). As well as i do not have any problem with other major browsers also. They also attach cookies without a problem.(I have tested my code with Firefox, IE, Opera and Edge)
This how I have set the Cookie from external service end.
res.setHeader('Set-Cookie','cdn-token=exp3header_same-site-none; domain=.local.com; path=/; SameSite=None;');
Complete sample code base can be found in following links:
External service - https://github.com/bhanukayapa/cors-backend.git
Front-end application - https://github.com/bhanukayapa/cors-angular-frontend.git
Can someone please explain the root cause for this problem? I checked Chrome release notes also. I could not find and bug fix or improvement related to this. Thanks in advance.
If setting SameSite=None this must be paired with Secure. e.g.
res.setHeader('Set-Cookie','cdn-token=exp3header_same-site-none; domain=.local.com; path=/; SameSite=None; Secure');
As of version 56 Chrome does not accept cookies in my setup. The setup is
https://login-with.now.sh is the "app"
https://login.now.sh is a authentication microservice which (on success) sets two cookies ("jwt" and "profile"). The Cookie Domain is set to "now.sh"
However, the cookies are visible in the response header (dev tools) but they don't appear back in the login-with.now.sh "app".
This did work with Chrome 55
It is still working with Safari, Firefox and Edge.
Is something wrong with my cookies or what is the matter here?
This is a bug in Chrome which is filed in the Chrome bugtracker.
I am sending a response and setting a maxAge for cookie as -1.All browsers except Chrome delete my cookie once browser is closed.
Chrome browser shows -
But still cookie does not get deleted when I close the browser.How to delete a cookie on chrome?Or is there any robust way which will work on all the browsers?
Likely to be one of these problems:
Chrome is still running in the background even though you closed the browser, so the session did not clear up.
One of the many bugs[1] relating to session cookie deletion problem in chrome.
[1] https://groups.google.com/a/chromium.org/forum/#!searchin/chromium-bugs/session$20cookies$20not$20deleted
As per spec, not setting max-age and expires directives causes browsers to treat your cookie as a session cookie. cookie.setMaxAge(-1) is doing the right thing internally if you say it works on all other browsers except chrome, though you can try setting a cookie without max-age and expires i.e., to have your http header field like this:
Set-Cookie: test=2015; Path=/; Domain=.example.
I believe the robust solution is to go by the spec. Do not bother about setting expires and max-age values, if you'd want a strict session cookie. We, then, leave it upto the browsers to respect the spec.