SameSite attribute still not set in cookies after Authorization Extension update


I still seem to be receiving cookies without the SameSite attribute set to None and without the Secure flag.

I’ve updated my extensions today (this only included Authorization Extension from v2.6 to v2.8), but I’m still receiving this warning on Chrome: A cookie associated with a cross-site resource at was set without the `SameSite` attribute.

All the cookies I’m receiving do not have the Secure flag or SameSite set as below:

Does it take a while for the Extension update to start working? Is there anything else I need to do in Auth0? Otherwise does this indicate an issue with my app, I’m using auth0-lock v11.17.3?

Hi @kelsey1,

Sorry for the confusion here. Samesite changes have a lot of moving pieces, many out of our control. There are a few different reasons you could be seeing the warnings, please take a look at this post for more info:

If you think you are running into a bug, or something is missing please let us know.


Hi Dan,

There is definitely a cookie being set without SameSite attribute, but I’m not sure if it’s set by auth0 endpoint or by the auth0 lock.

On it says as below. Does this mean no cookies are created by auth0 when authenticated by social idP?

Cross-origin authentication is not recommended and is only necessary when authenticating against a directory using a username and password. Social IdPs and enterprise federation use a different mechanism, redirecting via standard protocols like OpenID Connect and SAML.

Can you point me towards some technical description of the cookies set by auth0?

This topic was automatically closed 14 days after the last reply. New replies are no longer allowed.