Auth0 Chrome SameSite issue

Hi,

I am seeing a auth0 samesite issue in chrome 80 version of our application. I looked into the previous forum and article but not able to find how to fix this problem. Is auth0 releasing any patch? We are using auth0 lock 11 version. This is seen in the console. I have posted in auth0 lock issues page but havent got any response yet.

A cookie associated with a cross-site resource at http://auth0.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure . You can review cookies in developer tools under Application>Storage>Cookies and see more details at Chrome Platform Status and Chrome Platform Status.

Thanks
Manohar

Manohar,

If you’re seeing this error for cookies on the auth0.com domain this is generally not a problem. For compatibility reasons we set two versions of our cookies, one with and one without the SameSite attribute, so you may see SameSite warnings for cookies named auth0_compat and did_compat. This is not a problem.

We do recommend enabling the new cookie handling behavior for testing (I don’t think it is enabled by default in all versions of Chrome 80 just yet):

“to test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the “SameSite by default cookies” and “Cookies without SameSite must be secure” experiments”.

Note Chrome will not enforce the new cookie handling behavior for cookies set without a SameSite attribute less than two minutes ago. This is described in the Nov. 1, 2019 post here:

https://www.chromium.org/updates/same-site

You can disable the POST+Lax behavior by setting a flag on the command line (described under the Nov. 21 post at the previous link). Firefox does not implement the POST+Lax behavior so may be easier for testing. The Firefox settings are available under about:config by setting the following flags to True:

network.cookie.sameSite.laxByDefault
network.cookie.sameSite.noneRequiresSecure

Let me know if you have further questions about any of this.

Matt

2 Likes

Matt,

Thank you for the response. I see the auth0.sso cookies is set without the samesite and secure. Our application is working fine in chrome but in firefox I still see issue as samesite is unset.

I used to see cookie warnings till Friday but I am not seeing warnings since today. Looks like some update on auth0 side. I dont see any samesite=none and secure set by auth0. Hope this will not cause any problems in the future.

Chrome.

Firefox - Samesite unset. Application is not working due to this issue in firefox.

Manohar,

My experience so far is the Firefox dev tools aren’t caught up on SameSite yet–they are more or less worthless for inspecting the cookie data.

Did your Chrome testing involve disabling the POST+Lax behavior? If not, that might explain the discrepancy.

Is qa-app.zyyah.com a custom domain for your Auth0 tenant? Are you using the Universal login page? What version of auth0-spa-js or auth0.js are you using?

Thanks,

Matt

I did chrome testing for POST+Lax disabled behavirour. With and without I am seeing cookie behavior changed from Friday to today. I am not seeing any warnings in chrome.

We are using auth0 lock sdk 11 version. We haven’t assigned custom domain to auth0 tenant. qa-app.zyyah.com is app URL. auth0 tenant domain is zyyah-test.auth0.com. I am not seeing any cookies with this auth0 domain.

Hmmm
I’m not entirely sure how to explain this behavior, or why it changed recently. Samesite is challenging because there are lot of things working together, not all of which are controlled by Auth0.

We’re in a code freeze right now so I kind of want to wave my hands and blame it on a browser update. But
I won’t.

If you want to capture an HTTP trace from Firefox and Chrome and send it to me via DM, I can take a closer look and see if I can make sense of it: Generate and Analyze HAR Files

Thanks!

@manohar.gandra

Hi I am working through the same issue as you where I am getting a warning for a cookie with the name auth0.sso.

I found that in the chrome browser when I enable the “SameSite by default cookies” and “Cookies without SameSite must be secure" settings it doesn’t throw the SameSite attribute unset warnings. It will only throw a ‘cookie is blocked’ warning when your app actually tries to use the cookie and it is blocked from accessing it.

Do you know if the auth0.sso is created by auth0.com server or by the auth0 lock?

Are you still having issues with your app on Firefox? Is it failing for both username/password and social IdP auth on firefox?

Yes. I still have the firefox issue. Not able to login in firefox browser due to this issue. Its blocker for us. Any help is appreciated. Application is accessed on https but samesite cookies are unset. Please see the image below.

Any update on the issue? I am using Chrome and the auth0-spa-js package with React. I have the same cookies as @manohar.gandra and am getting the warning by chrome. I’m afraid what will happen when the site goes live?

1 Like

we are using auth0-spa-js 1.10.0 with angular and are getting the same error in chrome and in safari it stopped working because of this.

2 Likes

Have you gotten any updates? This is stalling go-live for an application we were hoping to roll out.

This worked for me after adding custom domain matching application in auth0. It worked in both chrome and safari but firefox is still an issue.

@matt.macadam is this still not an issue? What should we do?

Auth0 has action steps but it seems like these are steps only Auth0 can take? ( scroll to bottom SameSite Cookie Attribute Changes)

Chrome appears to be blocking cookies from auth0 and reporting in the console:
“
It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at Chrome Platform Status and [https://www.chromestatus.com/feature/5633521622188032.”

1 Like

This happened to me too. I just finished setting my application’s Quickstart and could log in and see the user data, yet when I refresh I see this warning on the console and I can no longer see the user data.

@johns1, @davidalejandro:

Please DM me an HTTP trace and I’ll see what I can figure out. I also wanted to share two points that may or may not be helpful in your cases:

  • Back in April Google said they were delaying the SameSite rollout due to covid-19. But I am not sure of the current status.
  • We include a set of identical cookies with and without SameSite for backwards compatibility. So even if your site is configured and working you will see SameSite errors in the console for the cookies without the SameSite flag. If your site is working as expected you can ignore the errors.

Thanks,

Matt