A cookie associated with a cross-site resource at http://auth0.com/ was set without the `SameSite` attribute

Hi and welcome to Auth0 Community! @tim6

In general SPAs and native applications are not affected as far as their interactions with Auth0. “Regular” web applications, where the logic is hosted server side and renders static pages to the browser, may be affected depending on how they interact with Auth0. Specifically, applications using “response_mode=form_post” may need to use a different response mode or risk breaking compatibility with older browsers (let me know if you have more questions about this as the explanation is lengthy).

We have a document on the new SameSite requirements:

And some additional exposition here:

The auth0 servers do set cookies in the browser but we’ve already made changes on the server side to address the new requirements. For compatibility reasons we set two versions of our cookies, one with and one without the SameSite attribute, so you may see SameSite warnings for cookies named auth0_compat and did_compat. This is not a problem.

If you’re using recent versions of our SDKs cookie handling should generally be taken care of for you, but if you’re manually making HTTP calls you may need to confirm the cookie attributes. In any case there’s no substitute for functional testing–I strongly recommend enabling the new cookie handling behavior for testing:

“to test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the “SameSite by default cookies” and “Cookies without SameSite must be secure” experiments”.

Note Chrome will not enforce the new cookie handling behavior for cookies set without a SameSite attribute less than two minutes ago. This is described in the Nov. 1, 2019 post here:

https://www.chromium.org/updates/same-site

You can disable the POST+Lax behavior by setting a flag on the command line (described under the Nov. 21 post at the previous link). Firefox does not implement the POST+Lax behavior so may be easier for testing. The Firefox settings are available under about:config by setting the following flags to True:

network.cookie.sameSite.laxByDefault
network.cookie.sameSite.noneRequiresSecure

Certain extensions on the Auth0 dashboard may also need to be updated, but we’ll notify you via the dashboard and email when updates are required and available.

Additional explanation around form_post

Applications using “response_type=form_post” have several options, listed here in order of preference.
-stop using the form_post flow. This is slightly less efficient, but won’t break login flows or compatibility with older browsers.

-Set “SameSite=None” on required cookies. This may break sign in with older browsers that don’t know how to handle this attribute. A possible workaround would be to set two identical cookies with and without the attribute, but this isn’t usually possible inside a library–it would require custom work to set and read these cookies.

Please let me know if this is helpful!

1 Like