SameSite cookie attribute changes are here!

Cookies are changing :cookie: :fast_forward:.

In an effort to increase security and avoid CSRF Attacks, changes to cookie attributes are being rolled out in common browsers.

Learn everything you need to know about the sameSite attribute and upcoming browser changes in our recent blog post and doc.

2 Likes

Please let us know if you have any questions we can assist with on this front in the comments below!

howdy thank you – can you clarify whether this will have unique impacts for oAuth using the Social Login extensions @

& https://auth0.com/docs/extensions

The Custom Social Extensions seem to have some callback methods which could break – I’ve been testing some other auth flows and have seen issues with CSRF workarounds breaking after the SameSite changes, and some of the details on your oAuth social extensions page seems to have the potential to break.

Do you have any demo sites or places these can be tested without spinning them all up? I’m mostly just trying to find SameSite impacts and am trying to not have to setup servers/auth for every stack to do that, so just dummy flows or client flows with live extensions would be great to test…

thanks for ya’lls time and work.

Sincerely,
Zach

Hi @thezedwards,

Sorry for the delayed response. I just received word back from the team, this issue has been moved to the top of the backlog.

I am not familiar with a demo site for testing, unfortunately. If this is something that you would find helpful, please submit the idea to our feedback page.

Let us know if you run into anything else and I’ll let the team know!

Thanks,
Dan

1 Like

Thanks very much, Dan!

our team at metax.io is doing another SameSite webinar in ~2.5 weeks and we were hoping to give an update on a few social extensions like ya’lls – totally understand if you can’t get an update by then but I’d love to be able to explain any part of your process/mitigation/“can’t-do’s” or however you frame any changes around the extensions. I think many organizations are looking at the SameSite changes and trying to figure out if there are holes that they won’t be able to fill, and/or if they will require rearchitecting for some extensions/extension-clients.

Thanks much for anything ya’ll can share and your work.

Sincerely,
Zach

1 Like

I’ll pass it along to the team! Thanks @thezedwards! Also, did you get a chance to look at the blog post?

Thank you - i did and it was very solid.

But basically, since i don’t know your Extensions as well, I think that’s the place that needs a second look.

Also, ya’ll did this for ITP @ https://auth0.com/docs/api-auth/token-renewal-in-safari and I think something like this may need to be done around SameSite - there are usually problems like this that only specific changes to architecture can solve.

thanks again~

1 Like

This topic was automatically closed 28 days after the last reply. New replies are no longer allowed.