Description:
Hi, after Chrome update, now we see this warning on the console.
There is a way to active the SameSite attribute when Auth0 instance is created?
A cookie associated with a cross-site resource at http://auth0.com/ was set without the SameSiteattribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
I’m having the same issue. My team is new to auth0 and right now (in development) we’re not experiencing any negative effects, just a noisy console. I’m concerned about issues once we deploy.
It is a change to Chrome’s cookie protocol, scheduled to go live with Chrome 80 in Feb 2020. We are aware of the change in policy and are prepared for the Feb release.
If you have trouble in Chrome Canary, the SameSite behavior can be changed back to the old default by setting chrome://flags/#same-site-by-default-cookies to the value “Disabled”.
This flag obviously won’t fix the underlying problem, but if you’re using Canary for development work, it’ll make your site usable again for the time being.
In incognito mode, Chrome Canary will block any third-party cookies regardless of the SameSite attribute. So your company.auth0.com domain must be explicitly whitelisted by adding it to the Allow list at chrome://settings/content/cookies
I’m also running into login issues with Chrome 79 beta. Disabling cookies-without-same-site-must-be-secure or same-site-by-default-cookies gets around the issue so It would seem auth0 needs to address this before Chrome 80. Chrome 79 goes stable Dec 10.
Just encountered this issue in Chrome Dev. Disabling the same-site default worked. It seems quite a long time to wait for the fix until next year. Any way a fix can be deployed sooner?
Hey all, it looks like this update should be rolling out earlier than I initially thought. I don’t have a hard release date at the moment, but it looks like it should be live soon. We will have some official content on the changes when they rolls out.
If you have any more questions feel free to post them here. Thanks.
We are using the @auth0/auth0-spa-js npm package in an Angular application.
Is there anything we need to change to support the new cookie flow?
Except for updating the npm package perhaps.