Errors in Chrome with SameSite using Okta-Auth-JS

When using the Okta-Auth-JS to interact with my Okta Org, we have recently started seeing this error in the developer console.
A cookie associated with a cross-site resource at https://[REMOVED].okta.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

1 Like

Hi @jphines, can you tell us which cookies are causing this to be shown? Thanks!

Hi @jphines,

This is a warning because these cookies (okta-oauth-nonce & okta-oauth-state) aren’t tagged with the sameSite attribute. Shouldn’t cause any functionality issues, since these cookies aren’t sent to the server, which are the only ones that’ll be affected in future chrome versions.
Having said that, we will add a fix that will tag these cookies with the right attributes so that the warnings won’t appear. Thanks for bringing this to our notice.

@robertjd Here is what my console is showing.

@vijet I know currently there aren’t any functional issues but by Feb 2020, Chrome will not allow any sameSite attributes to not be set. Is this an issue with the okta-auth-js SDK that needs updated to set this sameSite value? I’m basically the only Okta developer on my team and when this started showing up in the Chrome console, it’s my job to get it fixed. Any information or direction would be greatly appreciated!
Thanks!

Details announced in latest blogpost by Google, many SaaS are adapting such as Salesforce.

Hopefully Okta can accomplish this in time.

@jphines - Okta is aware of the updates in chrome samesite policy and has already updated the cookies set by our server, with the right attributes. The only cookies that’d be affected are the ones that are set by okta’s servers. The JSESSIONID in this case, even though points to the okta domain, is being set by a tomcat server (used by okta) but won’t cause any issues without the samesite attribute. There are no issues with the auth-js SDK as the cookies (set by the SDK) aren’t sent to okta servers.
In fact, we updated our release notes on Oct 9 to indicate that we have updated all the cookies with the samesite attribute - https://developer.okta.com/docs/release-notes/2019-10-0/#cookies-updated-to-preserve-cross-functionality

If you face any issues in the future, don’t hesitate to contact us.