Recently due to Chrome 80, it has been noted that cookies without the SameSite=None and Secure attributes will not get set in Chrome browsers.
Currently, I use the Flask-JWT-Extended library to generate my cookies for my backend, but even though it has the samesite=None in the set_cookies function the cookies still do not get set in the browser. I sent the request with Postman and viewed my cookie and got the below cookie:
access_token_cookie=my_token; Path=/; Domain=127.0.0.1; Secure; HttpOnly;
I have tried manually setting the headers with:
resp.headers.add('Set-Cookie', 'access_token_cookie=bar; SameSite=None; Secure')
But even after setting the cookie manually, I still get the following cookie with no SameSite attribute:
access_token_cookie=bar; Path=/user; Domain=127.0.0.1; Secure;
I'm wondering if there is a way to set the SameSite attribute within the cookies right now.
Edit This is the code that I have for the site.
- List item
access_token = create_access_token(identity=user.username)
resp = jsonify({"username": user.username,
"user_type": user.roles
})
resp.headers.add('Set-Cookie', 'access_token_cookie=' + access_token + '; SameSite=None; Secure')
return resp
Recently due to Chrome 80, it has been noted that cookies without the SameSite=None and Secure attributes will not get set in Chrome browsers.
Currently, I use the Flask-JWT-Extended library to generate my cookies for my backend, but even though it has the samesite=None in the set_cookies function the cookies still do not get set in the browser. I sent the request with Postman and viewed my cookie and got the below cookie:
access_token_cookie=my_token; Path=/; Domain=127.0.0.1; Secure; HttpOnly;
I have tried manually setting the headers with:
resp.headers.add('Set-Cookie', 'access_token_cookie=bar; SameSite=None; Secure')
But even after setting the cookie manually, I still get the following cookie with no SameSite attribute:
access_token_cookie=bar; Path=/user; Domain=127.0.0.1; Secure;
I'm wondering if there is a way to set the SameSite attribute within the cookies right now.
Edit This is the code that I have for the site.
- List item
access_token = create_access_token(identity=user.username)
resp = jsonify({"username": user.username,
"user_type": user.roles
})
resp.headers.add('Set-Cookie', 'access_token_cookie=' + access_token + '; SameSite=None; Secure')
return resp
Share
Improve this question
edited Mar 28, 2021 at 11:49
jub0bs
66.4k27 gold badges195 silver badges196 bronze badges
asked Apr 1, 2020 at 21:23
Bryan WongBryan Wong
1272 silver badges6 bronze badges
3 Answers
Reset to default 2Chrome ignores cookies marked as Secure
that was received via insecure channel.
So, you can either test this via https
or remove the Secure
attribute
In order to do this, I use make_response
without any Flask plugins:
from flask import make_response, render_template
resp = make_response(render_template("index.html"))
resp.set_cookie('pwd', pwd, samesite="Lax")
The important part is resp.set_cookie('pwd', pwd, samesite="Lax")
. The samesite
argument lets you set the SameSite of the cookie.
You're correct in thinking that Chrome now requires cookies marked SameSite=None
to also be marked Secure
:
Any cookie that requests
SameSite=None
but is not markedSecure
will be rejected.
However, the Domain
you specify for your cookie (127.0.0.1
) indicates that the request's server origin is an insecure one (i.e. using the http
scheme), and you should be aware that, due to a feature known as Strict Secure Cookies, attempts to set a Secure
cookie from an insecure origin fail in Chrome 58+:
This adds restrictions on cookies marked with the 'Secure' attribute. Currently, Secure cookies cannot be accessed by insecure (e.g. HTTP) origins. However, insecure origins can still add Secure cookies, delete them, or indirectly evict them. This feature modifies the cookie jar so that insecure origins cannot in any way touch Secure cookies.
Therefore, if you want to set a cookie marked SameSite=None
in modern Chrome, the origin needs to be secure (i.e. use the https
scheme).