Samesite cookie flag required changes

I have read the documentation provided by Auth0 around the upcoming changes to how cookie flags will be set in order to satisfy the Chrome 80 update.

My understanding is that the changes will be on the Auth0 IDP implementation in order to set the correct flags on the auth0 domain cookies, which should for the most part mean that clients do not need to make any changes.

However, on the page it says

Set your cookie as secure if its sameSite attribute equals None , otherwise it will be rejected by the browser. If you use HTTP for your Callback URLs, these will break if you use such cookies for binding the authorization request state/nonce. Therefore, you must either use HTTPS or set sameSite=lax .

For our dev environment currently we run with HTTP rather than HTTPS, with the redirect to Auth0 loging going to HTTPS and back to HTTP. So this will affect us unless we set sameSite=lax. The problem is the documentation does not say HOW to set the cookie to sameSite=lax.

Can someone please advise if my understanding is correct and if so how I can set the flag.

Thanks

1 Like

Hi @anyname,

Welcome and thank you for posting in Auth0 Community!

What type of application/s do you have?

My main recommendation is to make sure your SDK (if any) is up-to-date.

In general, SPAs and native applications are not affected as far as their interactions with Auth0. “Regular” web applications, where the logic is hosted server side and renders static pages to the browser, may be affected with SameSite depending on how they interact with Auth0. Specifically, applications using “response_mode=form_post” may need to use a different response mode or risk breaking compatibility with older browsers (let me know if you have more questions about this as the explanation is lengthy).

We have a document on the new sameSite requirements:

And some additional exposition here:

The auth0 servers do set cookies in the browser but we’ve already made changes on the server side to address the new requirements. For compatibility reasons we set two versions of our cookies, one with and one without the sameSite attribute, so you may see sameSite warnings for cookies named auth0_compat and did_compat. This is not a problem.

If you’re using recent versions of our SDKs cookie handling should generally be taken care of for you, but if you’re manually making HTTP calls you may need to confirm the cookie attributes. In any case there’s no substitute for functional testing–I strongly recommend enabling the new cookie handling behavior for testing:

“to test the effect of the new Chrome behavior on your site or cookies you manage, you can go to chrome://flags in Chrome 76+ and enable the “SameSite by default cookies” and “Cookies without SameSite must be secure” experiments”.

Note Chrome will not enforce the new cookie handling behavior for cookies set without a SameSite attribute less than two minutes ago. This is described in the Nov. 1, 2019 post here:

You can disable the POST+Lax behavior by setting a flag on the command line (described under the Nov. 21 post at the previous link). Firefox does not implement the POST+Lax behavior so may be easier for testing. The Firefox settings are available under about:config by setting the following flags to True:

network.cookie.sameSite.laxByDefault
network.cookie.sameSite.noneRequiresSecure

Certain extensions on the Auth0 dashboard may also need to be updated, but we’ll notify you via the dashboard and email when updates are required and available.

Hope this is helpful.

1 Like

Hey Lily, having similar issues with SPA React Sample App.
Created a post here >>

Commenting here, because i had the same doubt. I think we need more info.

Had doubts like:

Do I have to make any changes when using SPA?
If it’s not necessary why the SPA React sample is not working?

Anyway, hope this reply helps someone who had the same doubt.

1 Like

Thank you for sharing your post here! @FerJSsilva

Please let me know if you need more information from me.

@lily.wisecarver Can you help me answer those questions?

Hi,

Do I have to make any changes when using SPA?

If it’s not necessary why the SPA React sample is not working?

For compatibility reasons we set two versions of our cookies, one with and one without the sameSite attribute, so you may see sameSite warnings for cookies named auth0_compat and did_compat. If those are the only cookies you’re seeing an error for then you should be OK.

The problem is that the sample application stop working =/

No changes were made.

The only error is the same-site one.

1 Like