Okta-Signin-Widget Samesite Attribute Not Set

I am using the Okta-Signin-Widget and am getting the following warning in Chrome:

“A cookie associated with a cross-site resource at https://[REMOVED]-admin.oktapreview.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.”

I am using @okta/okta-signin-widget (3.4.2) and Chrome 78.0.3904.108.

Anyone know why these attributes are not set, or how to set them?

1 Like

Bugs Fixed in 2019.10.2

  • A SameSite=None attribute sent by Okta caused a bug in cross-site handling of cookies in Chrome on iOS 12.* or earlier. (OKTA-254174)


Thank you for the reply. I am currently not using iOS12.* or iOS devices. If this is still the cause of the problem I am seeing is there something I need to do to get rid of this Chrome warning?

Still an issue with sign-in widget 4.4.3. The SameSite attribute is set to Lax. I don’t know if this is because Okta Auth is explicitly setting it or it is not being set which defaults to SameSite=Lax

According to issue generated by Chrome

Resolve this issue by updating the attributes of the cookie:

  • Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use.

Would love to know how to set this via Okta API’s

So after some further research I think that this is being handled in the okta-auth-js layer and the reason it is Lax is because I am running http on localhost. I have not tested yet on https but it seems as if it is working as designed.