I am using the Okta-Signin-Widget and am getting the following warning in Chrome:
“A cookie associated with a cross-site resource at https://[REMOVED]-admin.oktapreview.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.”
I am using @okta/okta-signin-widget (3.4.2) and Chrome 78.0.3904.108.
Anyone know why these attributes are not set, or how to set them?
SameSite=None attribute sent by Okta caused a bug in cross-site handling of cookies in Chrome on iOS 12.* or earlier. (OKTA-254174)https://developer.okta.com/docs/release-notes/#bugs-fixed-in-2019-10-2
Thank you for the reply. I am currently not using iOS12.* or iOS devices. If this is still the cause of the problem I am seeing is there something I need to do to get rid of this Chrome warning?
Still an issue with sign-in widget 4.4.3. The SameSite attribute is set to Lax. I don’t know if this is because Okta Auth is explicitly setting it or it is not being set which defaults to SameSite=Lax
According to issue generated by Chrome
Resolve this issue by updating the attributes of the cookie:
- Specify
SameSite=NoneandSecureif the cookie should be sent in cross-site requests. This enables third-party use.
Would love to know how to set this via Okta API’s
So after some further research I think that this is being handled in the okta-auth-js layer and the reason it is Lax is because I am running http on localhost. I have not tested yet on https but it seems as if it is working as designed.
This topic was automatically closed 24 hours after the last reply. New replies are no longer allowed.