Stuck on an issue?

Lightrun Answers was designed to reduce the constant googling that comes with debugging 3rd party libraries. It collects links to all the places you might be looking at while hunting down a tough bug.

And, if you’re still stuck at the end, we’re happy to hop on a call to see how we can help out.

User agent based `sameSite` cookie value

See original GitHub issue

Starting with July, Chrome in specific cases requires the sameSite property of cookies to be set to None. However some browsers like specific versions of Safari don’t support that value and automatically switch to Strict when None is sent. User agent sniffing is therefore necessary for deciding which value to send, which however isn’t possible with the current implementation of express-session.

Since I wouldn’t include the UA sniffing part into this library (neither did Microsoft with ASP.NET Core), would it be OK to add the functionality for sameSite to also accept a function (req) => string | boolean to set the value based on the incoming request?

Issue Analytics

State:
Created 3 years ago
Comments:5 (3 by maintainers)

Top GitHub Comments

1reaction

dougwilsoncommented, May 30, 2020

The issue with this proposal, of course, is that you will need to go though all the modules on npm getting them to do this. I would suggest (if not already on npm) to create a module that will alter any existing set-cookie headers on the response just before they are sent, as a hook. When it sniffs the user agent is Safari, it would remove sameSite=None from the header. This solution would not require every npm module to add sameSite as a function or similar and require users to then add this sniffing logic there for everything that needs it 👍

0reactions

stephtrcommented, May 30, 2020

I just thought because basically everyone using sameSite: 'none' will run into that issue and I didn’t think about changing the set-cookie header by using a middleware. Anyway, thank you again for your help!

Top Results From Across the Web

SameSite Cookie Attribute Changes - Auth0

Describes how browser changes, such as the SameSite cookie attribute, affects your web applications that embed content from third-party domains.

User-Agent Sniffing Only Way to Deal With ... - CatchJS

The 2019 SameSite standard mandates that cookies should not be sent in POST requests from other sites, unless they are marked with SameSite=None ......

SameSite cookies - HTTP - MDN Web Docs

This is the default cookie value if SameSite has not been explicitly specified in recent browser versions (see the "SameSite: Defaults to ...

Work with SameSite cookies in ASP.NET Core | Microsoft Learn

Developers are able to programmatically control the value of the sameSite attribute using the HttpCookie.SameSite property. Setting the SameSite ...

SameSite cookie recipes - web.dev

With the introduction of the new SameSite=None attribute value, sites can now explicitly mark their cookies for cross-site usage.