Why am I getting "Indicate whether to send a cookie in a cross-site request by specifying its SameSite attribute"?

Question

In a Chrome warning, it says:

Specify SameSite=None and Secure if the cookie should be sent in cross-site requests. This enables third-party use.

How do I do this correctly using express-session?

app.use(
  cors({
    credentials: true,
    origin: ["http://localhost:3000", "https://elated-jackson-28b73e.netlify.app"] //Swap this with the client url 
  })
);
var sess = {
  secret: 'keyboard cat',
  cookie: {}
}

if (app.get('env') === 'production') {
  app.set('trust proxy', 1) // trust first proxy
  sess.cookie.secure = true // serve secure cookies
  sess.cookie.sameSite = 'none'
}

app.use(session(sess))

Answer 1

If you are using Google login button or any other identity service add this:

<GoogleLogin onSuccess={() =>()} onError={() => ()} cookiePolicy='single-host-origin'/>

Answer 2

i got the same issue when run my code in localhost. The affected resource is _ga, _gid, _utma, _utmz. All of them from unpkg.com and i got marker image leaflet failed request but doesnt affect the page.

since i dont understand what the specific problem so i just delete the affected resource cookies in inspect element and the code will run without notif again.

thought i know if it's better to not answer based by personal experience. just tell me if it's not help at all.

Answer 3

you are getting this because you are using a resource from another site and that server is attempting to set a "cookie" but, it does not have the SameSite attribute set, which is being reported in newer versions of browsers.

this (may) also be shown if you are trying to access the server page from local computer (xampp), which generally doesn't has SSL installed;

set the header line in your server page (if in PHP) as below:
header("Set-Cookie: cross-site-cookie=whatever; SameSite=None; Secure");

(remember: this must be solved from the server side.)