Safari not sending cookie even after setting SameSite=None; Secure

javascript cookies safari setcookie samesite
DieOnTime picture DieOnTime · Oct 23, 2019 · Viewed 20.8k times · Source

Our application uses cookies to remember user login. Every auth API call we make, the browser attaches server-set HTTPonly cookie with the API request and gets authenticated. This behaviour seems to be broken in safari after Mojave release.

I read about the cross-site cookie security implemented by safari and our server team added SameSite=None;Secure while setting the cookie. Even after that, it still doesn't work.

Set-Cookie: my_cookie=XXXXX; path=/; secure; HttpOnly; SameSite=None

Please advise or provide links from people who actually found a solution..

Answer

rowan_m picture rowan_m · Oct 31, 2019

Versions of Safari on MacOS 10.14 and all browsers on iOS 12 are affected by this bug which means that SameSite=None is erroneously treated as SameSite=Strict, e.g. the most restrictive setting.

I've published some guidance in SameSite cookie recipes on either:

  • Using two sets of cookies to account for browsers that support SameSite=None; Secure and those that don't.
  • Sniffing the user agent for incompatible browsers and not serving SameSite=None for those requests.

Related questions

Setting cross-domain cookies in Safari

I have to call domain A.com (which sets the cookies with http) from domain B.com. All I do on domain B.com is (javascript): var head = document.getElementsByTagName("head")[0]; var script = document.createElement("script"); script.src = "A.com/…

Read More
How do I set/unset a cookie with jQuery?

How do I set and unset a cookie using jQuery, for example create a cookie named test and set the value to 1?

Read More
Set cookie and get cookie with JavaScript

I'm trying to set a cookie depending on which CSS file I choose in my HTML. I have a form with a list of options, and different CSS files as values. When I choose a file, it should be saved …

Read More