Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Is there any way to set cookie on Browser which restrict cookie by default, without hosting frontend by myself? #620

Open
danielbatch opened this issue Jul 14, 2022 · 2 comments
Open

Is there any way to set cookie on Browser which restrict cookie by default, without hosting frontend by myself? #620

danielbatch opened this issue Jul 14, 2022 · 2 comments

Comments

@danielbatch
Copy link

I’m trying to set cookie on Browser when signed in by email/password, returning this Set-Cookie response header, referring this doc.
https://discovery.viron.plus/docs/Advanced-Guides/authentication#cookie

auth_key=eyxxxxxxxxxxxxxxxxxxxxxx0A; Path=/; HttpOnly; SameSite=None;

And this cookie is set only in “MacOS, Google Chrome” environment.

Name: auth_key
Value: eyxxxxxxxxxxxxxxxxxxxxxx0A
Domain: myApiServerDomain
Path: /
Expires: session
HttpOnly: true
Secure: true
SameSite: none

Is there any way to set cookie on other Browser which is frequently used and restrict cookie by default, like Desktop Safari, SP Safari, Chrome?

I want to set cookie on following environments without hosting viron by myself, nor changing Browser default settings.

Investigated these envs,

PC

MacOS, Google Chrome, 103.0.5060.114(Official Build) (arm64)
Default cookie setting: “blocks 3rd party cookie on secret browsing”
=> cookie is set.

Safari, 14.1.2 (16611.3.10.1.6)
Default cookie setting: “blocks CROSS-SITE TRACKING”
=> cookie is not set

SP

iOS15.5, Google Chrome, 103.0.5060.63
Default cookie setting: “blocks CROSS-SITE TRACKING”
=> cookie is not set

iOS15.5, Safari, 604.1
Default cookie setting: “blocks CROSS-SITE TRACKING”
=> cookie is not set

Thanks,
@cathcheeno
Copy link
Contributor

@danielbatch
The behavior is not something I expected.. Maybe a bug so I'll work on the problem.

By the way, it seems you set the Domain attribute while Viron recommend it to be omitted. Could you omit it if it's OK, and let me know how things go?

@danielbatch
Copy link
Author

@cathcheeno
Hi, I've omitted Domain attribute as a response header from server.
I generated HttpOnly, Secure, SameSite attribute in server by myself.
The response header on POST /authentication is like this,

Set-Cookie: auth_key =eyxxxxxxxxxxxxxx0A; path=/; HttpOnly; Secure; SameSite=None

And only Google Chrome sets cookie, with Domain myApiServerDomain, shown on description of this Issue.

Thanks,

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

No branches or pull requests
2 participants
@cathcheeno @danielbatch