I added SameSite=None; Secure; to set-cookie. but the cookie was not set and I can’t log in to my site.
response.writeHead(200, {
'Content-Type': 'application/json',
'Set-Cookie': 'token=' + token + '; SameSite=None; Secure; Expires=' + time.toUTCString() + '; Path=/' + '; Domain=' + hostname,
'csrf-token': csrfToken
});
I reviewed the cookie in developer tools under Application>Storage>Cookies and see more details. it showed a warning message:
this set-cookie was blocked because it was not sent over a secure connection
chrome blockes cookies, Because I work on the development environment and i send http request. But this test on Firefox browser logs in correctly.
I put the word secure inside the cookie and it worked properly, but because the word secure must be used next to samesite = none for cross-origin, otherwise the cookie will be blocked.
My question is why when I use secure, only the Chrome browser blocks the cookie, but it is true in other browsers. And that if I do not use secure I can not test the payment gateway because it blocks Chrome cross-orign if I do not use secure...
from Session cookie set `SameSite=None; Secure;` does not work
No comments:
Post a Comment