Angular SDK Cookies - SameSite

Hi There,

I have a question about "@auth0/auth0-spa-js": "^1.7.0" with Angular.
I’m getting a warning when I run my app:

A cookie associated with a cross-site resource at https://{{domain}}.auth0.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I can see that a cookie is set like so: auth0.is.authenticated and a value true. I’m not setting this cookie in my app, so it must be coming from the SDK somewhere.

Does anyone know where in the SDK it might be set, and confirm that the only thing I need to do when the time comes is update the SDK?

1 Like

The SDK in question would be running in your own client application so the cookies that the SDK sets would be in scope of your own domain. This suggests that the warning, which points to the tenant default domain is likely about something else.

An authentication flow that redirects through the Auth0 service will trigger cookies being set by the Auth0 service itself. In order to mitigate the same site situation the Auth0 service (server-side) will set any necessary cookies in pairs, one with the SameSite attribute (to meet Chrome requirements) and the other one without (as a compatibility fallback). This compatibility fallback may, however, cause those warnings for the cookie that was set without the attribute, but this will not have a functional impact. You should review the cookies being set in the tenant default domain itself; if you see cookies with the attribute and then similar named ones (have a suffix) without then that’s fine and Chrome is just complaining about the fallback ones.