Reputation: 103
SameSite attribute in cookies
I have a website a.com that has third party app point to apps.b.com. When I login to a.com, I'm also authenticated to apps.b.com in the background using the same credentials. This is so the users do not have to login to access apps.b.com. I understand that browser sends all the cookies to apps.b.com when making the request to it. This is how it works now. Reading the article https://web.dev/samesite-cookies-explained/ in regards to SameSite attribute, it appears apps.b.com is third party site. Now do I have to configure web server on a.com to set the cookie to SameSite=none;Secure OR do I have to set the SameSite=none;Secure on web server on apps.b.com?
Upvotes: 1
Views: 505
Answers (1)
Reputation: 3050
Any time you are making a cross-site request that needs cookies, then those cookies need to be marked SameSite=None; Secure.
So, for example if the user is on a.com and you have an <iframe> or fetch() to apps.b.com that expects cookies, then the apps.b.com cookies need SameSite=None; Secure.
Vice versa, if the user is on apps.b.com and you are making requests to a.com to check their auth status by relying on the a.com cookies, then those cookies need SameSite=None; Secure.
Essentially the pattern you're looking for is when the site in the browser location bar is different to the site that needs the cookies, then those are the cookies that need marking. So, depending on your set up, it may be one or both.
Upvotes: 1
Related Questions
- How does sameSite attribute protect the user from information leakage?
- Set SameSite for Cookie in Apex
- Is there a way to add samesite value to a cookie in jquery?
- Cookies without "SameSite" attribute are sent on different sub domains
- Polyfill SameSite cookie attribute
- Firefox samesite cookie
- How to set SameSite cookie attribute using Apache configuration?
- Samesite cookie attribute not being set using javascript
- How to fix the SameSite attribute warning?
- Javascript to exploit cookies with samesite attribute?