Auth0 Home Blog Docs

Auth0 Chrome SameSite issue

Hi,

I am seeing a auth0 samesite issue in chrome 80 version of our application. I looked into the previous forum and article but not able to find how to fix this problem. Is auth0 releasing any patch? We are using auth0 lock 11 version. This is seen in the console. I have posted in auth0 lock issues page but havent got any response yet.

A cookie associated with a cross-site resource at http://auth0.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure . You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

Thanks
Manohar

Manohar,

If you’re seeing this error for cookies on the auth0.com domain this is generally not a problem. For compatibility reasons we set two versions of our cookies, one with and one without the SameSite attribute, so you may see SameSite warnings for cookies named auth0_compat and did_compat. This is not a problem.

We do recommend enabling the new cookie handling behavior for testing (I don’t think it is enabled by default in all versions of Chrome 80 just yet):

“to test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the “SameSite by default cookies” and “Cookies without SameSite must be secure” experiments”.

Note Chrome will not enforce the new cookie handling behavior for cookies set without a SameSite attribute less than two minutes ago. This is described in the Nov. 1, 2019 post here:

You can disable the POST+Lax behavior by setting a flag on the command line (described under the Nov. 21 post at the previous link). Firefox does not implement the POST+Lax behavior so may be easier for testing. The Firefox settings are available under about:config by setting the following flags to True:

network.cookie.sameSite.laxByDefault
network.cookie.sameSite.noneRequiresSecure

Let me know if you have further questions about any of this.

Matt

2 Likes

Matt,

Thank you for the response. I see the auth0.sso cookies is set without the samesite and secure. Our application is working fine in chrome but in firefox I still see issue as samesite is unset.

I used to see cookie warnings till Friday but I am not seeing warnings since today. Looks like some update on auth0 side. I dont see any samesite=none and secure set by auth0. Hope this will not cause any problems in the future.

Chrome.

Firefox - Samesite unset. Application is not working due to this issue in firefox.

Manohar,

My experience so far is the Firefox dev tools aren’t caught up on SameSite yet–they are more or less worthless for inspecting the cookie data.

Did your Chrome testing involve disabling the POST+Lax behavior? If not, that might explain the discrepancy.

Is qa-app.zyyah.com a custom domain for your Auth0 tenant? Are you using the Universal login page? What version of auth0-spa-js or auth0.js are you using?

Thanks,

Matt

I did chrome testing for POST+Lax disabled behavirour. With and without I am seeing cookie behavior changed from Friday to today. I am not seeing any warnings in chrome.

We are using auth0 lock sdk 11 version. We haven’t assigned custom domain to auth0 tenant. qa-app.zyyah.com is app URL. auth0 tenant domain is zyyah-test.auth0.com. I am not seeing any cookies with this auth0 domain.

Hmmm…I’m not entirely sure how to explain this behavior, or why it changed recently. Samesite is challenging because there are lot of things working together, not all of which are controlled by Auth0.

We’re in a code freeze right now so I kind of want to wave my hands and blame it on a browser update. But…I won’t.

If you want to capture an HTTP trace from Firefox and Chrome and send it to me via DM, I can take a closer look and see if I can make sense of it: https://auth0.com/docs/troubleshoot/guides/generate-har-files

Thanks!

@manohar.gandra

Hi I am working through the same issue as you where I am getting a warning for a cookie with the name auth0.sso.

I found that in the chrome browser when I enable the “SameSite by default cookies” and “Cookies without SameSite must be secure" settings it doesn’t throw the SameSite attribute unset warnings. It will only throw a ‘cookie is blocked’ warning when your app actually tries to use the cookie and it is blocked from accessing it.

Do you know if the auth0.sso is created by auth0.com server or by the auth0 lock?

Are you still having issues with your app on Firefox? Is it failing for both username/password and social IdP auth on firefox?