How to set a set cookie in the management screen?

dan.woda · December 22, 2021, 10:17pm

You can send them this information I posted previously.

We explicitly set it to none when saving cookies, at least for HTTPS. If no HTTPS, we use the browser default by not specifying a value at all.auth0-spa-js/storage.ts at 0c6166c0f1dd7c8405b7231d0074c1eb0d8a164f · auth0/auth0-spa-js · GitHub

If they’re testing on localhost , it could be (I’m assuming Chrome) defaulting to lax if the SameSite attribute is not specified. See this Chrome feature which started rolling out from July 2020. So it could be Chrome just reporting that default.

When SameSite was implemented in this SDK, we decided at the time to specify none when running on HTTPS, and not specify anything at all (inherit browser defaults) when not running on HTTPS.

lliuxu · December 23, 2021, 3:16am

Thankyou for your support.
I’ll try to explain.

For example, ‘domain name a’ and ‘domain name B’ use the same auth0 application. What will be passed in the set-cookie?
For example: token? Or what information? We need to evaluate whether the information leakage will cause harm to our customers?

dan.woda · December 23, 2021, 2:53pm

@lliuxu,

You can see the contents of that cookie by inspecting the application. It contains a boolean value to indicate if the application should perform a silent auth request (just a request, not a form of authentication).

lliuxu · December 24, 2021, 1:55am

Thank you for your support.

Is that the one below?

dan.woda · January 4, 2022, 7:59pm

That appears to be a different cookie.

lliuxu · January 5, 2022, 12:38am

Are they 1 and 2 below?

dan.woda · January 5, 2022, 2:26pm

According to your previous post, yes those match the cookies in discussion.

lliuxu · January 6, 2022, 12:50am

Thankyou for your support.

system · January 21, 2022, 12:51am

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.