Recently due to Chrome 80, it has been noted that cookies without the SameSite=None and Secure attributes will not get set in Chrome browsers.
Currently, I use the Flask-JWT-Extended library to generate my cookies for my backend, but even though it has the samesite=None in the set_cookies function the cookies still do not get set in the browser. I sent the request with Postman and viewed my cookie and got the below cookie:
access_token_cookie=my_token; Path=/; Domain=127.0.0.1; Secure; HttpOnly;
I have tried manually setting the headers with:
resp.headers.add('Set-Cookie', 'access_token_cookie=bar; SameSite=None; Secure')
But even after setting the cookie manually, I still get the following cookie with no SameSite attribute:
access_token_cookie=bar; Path=/user; Domain=127.0.0.1; Secure;
I'm wondering if there is a way to set the SameSite attribute within the cookies right now.
Edit This is the code that I have for the site.
- List item
access_token = create_access_token(identity=user.username)
resp = jsonify({"username": user.username,
"user_type": user.roles
})
resp.headers.add('Set-Cookie', 'access_token_cookie=' + access_token + '; SameSite=None; Secure')
return resp
Recently due to Chrome 80, it has been noted that cookies without the SameSite=None and Secure attributes will not get set in Chrome browsers.
Currently, I use the Flask-JWT-Extended library to generate my cookies for my backend, but even though it has the samesite=None in the set_cookies function the cookies still do not get set in the browser. I sent the request with Postman and viewed my cookie and got the below cookie:
access_token_cookie=my_token; Path=/; Domain=127.0.0.1; Secure; HttpOnly;
I have tried manually setting the headers with:
resp.headers.add('Set-Cookie', 'access_token_cookie=bar; SameSite=None; Secure')
But even after setting the cookie manually, I still get the following cookie with no SameSite attribute:
access_token_cookie=bar; Path=/user; Domain=127.0.0.1; Secure;
I'm wondering if there is a way to set the SameSite attribute within the cookies right now.
Edit This is the code that I have for the site.
- List item
access_token = create_access_token(identity=user.username)
resp = jsonify({"username": user.username,
"user_type": user.roles
})
resp.headers.add('Set-Cookie', 'access_token_cookie=' + access_token + '; SameSite=None; Secure')
return resp
3 Answers
Reset to default 2Chrome ignores cookies marked as Secure that was received via insecure channel.
So, you can either test this via https or remove the Secure attribute
In order to do this, I use make_response without any Flask plugins:
from flask import make_response, render_template
resp = make_response(render_template("index.html"))
resp.set_cookie('pwd', pwd, samesite="Lax")
The important part is resp.set_cookie('pwd', pwd, samesite="Lax"). The samesite argument lets you set the SameSite of the cookie.
You're correct in thinking that Chrome now requires cookies marked SameSite=None to also be marked Secure:
Any cookie that requests
SameSite=Nonebut is not markedSecurewill be rejected.
However, the Domain you specify for your cookie (127.0.0.1) indicates that the request's server origin is an insecure one (i.e. using the http scheme), and you should be aware that, due to a feature known as Strict Secure Cookies, attempts to set a Secure cookie from an insecure origin fail in Chrome 58+:
This adds restrictions on cookies marked with the 'Secure' attribute. Currently, Secure cookies cannot be accessed by insecure (e.g. HTTP) origins. However, insecure origins can still add Secure cookies, delete them, or indirectly evict them. This feature modifies the cookie jar so that insecure origins cannot in any way touch Secure cookies.
Therefore, if you want to set a cookie marked SameSite=None in modern Chrome, the origin needs to be secure (i.e. use the https scheme).