Chrome: Warning message - SameSite cookie

I’m having the same issue. My team is new to auth0 and right now (in development) we’re not experiencing any negative effects, just a noisy console. I’m concerned about issues once we deploy.

@ejhalpin @tasktix @bruno-caravelo @andres

Hey everyone, I have an update on the warning.

It is a change to Chrome’s cookie protocol, scheduled to go live with Chrome 80 in Feb 2020. We are aware of the change in policy and are prepared for the Feb release.

Thanks,
Dan

From Chrome:

1 Like

Thanks @dan.woda! Yes, for now it is just a warning, although makes the console quite noisy. Do you have an ETA on the fix for this one?

2 Likes

@andres

I apologize, I don’t have any other information at this time. Filtering the warnings out would be all I can recommend.

2 Likes

I have the same issue and currently in my app I can’t sign in using Chrome Canary. (for standart Chrome it’s fine).

@avernikoz,

This would make sense as canary is likely requiring SameSite cookies, being a pre-beta build of chrome.

If you have trouble in Chrome Canary, the SameSite behavior can be changed back to the old default by setting chrome://flags/#same-site-by-default-cookies to the value “Disabled”.

This flag obviously won’t fix the underlying problem, but if you’re using Canary for development work, it’ll make your site usable again for the time being.

2 Likes

In incognito mode, Chrome Canary will block any third-party cookies regardless of the SameSite attribute. So your company.auth0.com domain must be explicitly whitelisted by adding it to the Allow list at chrome://settings/content/cookies

Thanks for the input @xoob!

Nice, thank you @xoob

I’m also running into login issues with Chrome 79 beta. Disabling cookies-without-same-site-must-be-secure or same-site-by-default-cookies gets around the issue so It would seem auth0 needs to address this before Chrome 80. Chrome 79 goes stable Dec 10.

Just encountered this issue in Chrome Dev. Disabling the same-site default worked. It seems quite a long time to wait for the fix until next year. Any way a fix can be deployed sooner?

I should have an update soon. Thank you for taking the time to reach out on the issue!

1 Like

Hey all, it looks like this update should be rolling out earlier than I initially thought. I don’t have a hard release date at the moment, but it looks like it should be live soon. We will have some official content on the changes when they rolls out.

If you have any more questions feel free to post them here. Thanks.

1 Like

We have released a doc on SameSite:

Here is the Auth0 blog post about SameSite.

Interesting reads, thanks!

We are using the @auth0/auth0-spa-js npm package in an Angular application.
Is there anything we need to change to support the new cookie flow?
Except for updating the npm package perhaps.

1 Like

I don’t think you should have to do anything for that library. Let us know if you are still running into issues after the first week or so in december.

1 Like

All,

Updates are rolling out now, and you should see them in the notifications of your support center.

https://support.auth0.com/notifications/

1 Like

We have an announcement about the roll out, please continue any conversation there: