Auth0 Chrome SameSite issue

Manohar,

If you’re seeing this error for cookies on the auth0.com domain this is generally not a problem. For compatibility reasons we set two versions of our cookies, one with and one without the SameSite attribute, so you may see SameSite warnings for cookies named auth0_compat and did_compat. This is not a problem.

We do recommend enabling the new cookie handling behavior for testing (I don’t think it is enabled by default in all versions of Chrome 80 just yet):

“to test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the “SameSite by default cookies” and “Cookies without SameSite must be secure” experiments”.

Note Chrome will not enforce the new cookie handling behavior for cookies set without a SameSite attribute less than two minutes ago. This is described in the Nov. 1, 2019 post here:

https://www.chromium.org/updates/same-site

You can disable the POST+Lax behavior by setting a flag on the command line (described under the Nov. 21 post at the previous link). Firefox does not implement the POST+Lax behavior so may be easier for testing. The Firefox settings are available under about:config by setting the following flags to True:

network.cookie.sameSite.laxByDefault
network.cookie.sameSite.noneRequiresSecure

Let me know if you have further questions about any of this.

Matt

2 Likes