Why is authentication lost after refreshing my single page application in Chrome?

rstardev · August 27, 2021, 8:57pm

I have problems with silent reauthentication in the “latest” Chrome 92.

I’ve read and understand the well described topic in Why is authentication lost after refreshing my single page application? but currently there appears to be a problem in Chrome only currently. My application has no Social Connection configured , it’s only the username/password method allowed, Chrome is with set allowed third-party cookies and I can see that after valid login the cookies properly set to true, but on refresh they are cleared (after the silent request to Auth0 server).

There are no issues with Firefox for instance. There’s also no problem if I set the localstorage as cacheLocation.

What could be the problem? Is it something Chrome has “changed”, or something locally on my side?

dan.woda · August 31, 2021, 9:37pm

Hi @rstardev,

Welcome to the Auth0 Community!

How are you implementing silent auth? Did you follow one of our quickstarts?

Also, are you seeing any errors in the development console of Chrome or in the Auth0 Dashboard?

rstardev · September 1, 2021, 7:02pm

Hi, yes I just used the vanilla JS quickstart.
Actually it is reproducible with the quickstart sample app (e.g the https://github.com/auth0-samples/auth0-javascript-samples/tree/master/01-Login repository).

In fact I see Firefox is logging some info which can give more insight for the reason why it doesn’t work in Chrome.

Cookie “auth0.is.authenticated” will be soon rejected because it has the “SameSite” attribute set to “None” or an invalid value, without the “secure” attribute. To know more about the “SameSite“ attribute, read Set-Cookie - HTTP | MDN

And I’m 99% sure Chrome already rejects such cookies.
I guess there’ll be no problem when set custom domain as then the SPA and the authorization server will be from the same domain

dan.woda · September 2, 2021, 8:25pm

If I boot up our vanilla js quickstart in chrome 92:latest everything works as expected. Can you provide a HAR of your failed transaction in a DM please?

Is there a reason why you don’t use this strategy?

rstardev · September 3, 2021, 7:28am

I currently use the localstorage strategy, no issues with it, it’s perfect.

But as the cookies is the default one when starting the project I was at first puzzled what and why it’s not working, and was just going to try Okta when I saw it’s actually working in Firefox and started digging more to find out why from dev’s perspective.

As you said it’s working for you properly I even more started to think it’s just something specific on my Chrome. And finally I think I found out why. It’s because of this Chrome extension Privacy Badger Privacy Badger - Chrome Web Store.

So there’s nothing wrong with Auth0. What and why Privacy Badger does so that it prevents these Auth0 cookies I don’t know.

Thanks for your assistance , I believe this “issue” can be resolved now.

dan.woda · September 3, 2021, 10:50pm

Thanks for following up.

system · September 18, 2021, 10:50pm

This topic was automatically closed 15 days after the last reply. New replies are no longer allowed.