I am seeing a auth0 samesite issue in chrome 80 version of our application. I looked into the previous forum and article but not able to find how to fix this problem. Is auth0 releasing any patch? We are using auth0 lock 11 version. This is seen in the console. I have posted in auth0 lock issues page but havent got any response yet.
A cookie associated with a cross-site resource at http://auth0.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure . You can review cookies in developer tools under Application>Storage>Cookies and see more details at Chrome Platform Status and Chrome Platform Status.
If youâre seeing this error for cookies on the auth0.com domain this is generally not a problem. For compatibility reasons we set two versions of our cookies, one with and one without the SameSite attribute, so you may see SameSite warnings for cookies named auth0_compat and did_compat. This is not a problem.
We do recommend enabling the new cookie handling behavior for testing (I donât think it is enabled by default in all versions of Chrome 80 just yet):
âto test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the âSameSite by default cookiesâ and âCookies without SameSite must be secureâ experimentsâ.
Note Chrome will not enforce the new cookie handling behavior for cookies set without a SameSite attribute less than two minutes ago. This is described in the Nov. 1, 2019 post here:
You can disable the POST+Lax behavior by setting a flag on the command line (described under the Nov. 21 post at the previous link). Firefox does not implement the POST+Lax behavior so may be easier for testing. The Firefox settings are available under about:config by setting the following flags to True:
Thank you for the response. I see the auth0.sso cookies is set without the samesite and secure. Our application is working fine in chrome but in firefox I still see issue as samesite is unset.
I used to see cookie warnings till Friday but I am not seeing warnings since today. Looks like some update on auth0 side. I dont see any samesite=none and secure set by auth0. Hope this will not cause any problems in the future.
My experience so far is the Firefox dev tools arenât caught up on SameSite yetâthey are more or less worthless for inspecting the cookie data.
Did your Chrome testing involve disabling the POST+Lax behavior? If not, that might explain the discrepancy.
Is qa-app.zyyah.com a custom domain for your Auth0 tenant? Are you using the Universal login page? What version of auth0-spa-js or auth0.js are you using?
I did chrome testing for POST+Lax disabled behavirour. With and without I am seeing cookie behavior changed from Friday to today. I am not seeing any warnings in chrome.
We are using auth0 lock sdk 11 version. We havenât assigned custom domain to auth0 tenant. qa-app.zyyah.com is app URL. auth0 tenant domain is zyyah-test.auth0.com. I am not seeing any cookies with this auth0 domain.
HmmmâŠIâm not entirely sure how to explain this behavior, or why it changed recently. Samesite is challenging because there are lot of things working together, not all of which are controlled by Auth0.
Weâre in a code freeze right now so I kind of want to wave my hands and blame it on a browser update. ButâŠI wonât.
If you want to capture an HTTP trace from Firefox and Chrome and send it to me via DM, I can take a closer look and see if I can make sense of it: Generate and Analyze HAR Files
Hi I am working through the same issue as you where I am getting a warning for a cookie with the name auth0.sso.
I found that in the chrome browser when I enable the âSameSite by default cookiesâ and âCookies without SameSite must be secure" settings it doesnât throw the SameSite attribute unset warnings. It will only throw a âcookie is blockedâ warning when your app actually tries to use the cookie and it is blocked from accessing it.
Do you know if the auth0.sso is created by auth0.com server or by the auth0 lock?
Are you still having issues with your app on Firefox? Is it failing for both username/password and social IdP auth on firefox?
Yes. I still have the firefox issue. Not able to login in firefox browser due to this issue. Its blocker for us. Any help is appreciated. Application is accessed on https but samesite cookies are unset. Please see the image below.
Any update on the issue? I am using Chrome and the auth0-spa-js package with React. I have the same cookies as @manohar.gandra and am getting the warning by chrome. Iâm afraid what will happen when the site goes live?
Chrome appears to be blocking cookies from auth0 and reporting in the console:
ââŠIt has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at Chrome Platform Status and [https://www.chromestatus.com/feature/5633521622188032.â
This happened to me too. I just finished setting my applicationâs Quickstart and could log in and see the user data, yet when I refresh I see this warning on the console and I can no longer see the user data.
Please DM me an HTTP trace and Iâll see what I can figure out. I also wanted to share two points that may or may not be helpful in your cases:
Back in April Google said they were delaying the SameSite rollout due to covid-19. But I am not sure of the current status.
We include a set of identical cookies with and without SameSite for backwards compatibility. So even if your site is configured and working you will see SameSite errors in the console for the cookies without the SameSite flag. If your site is working as expected you can ignore the errors.
