0

We have a register page on DomainA.com, which - after successful registration, show a page with a JavaScript redirect to our application App.DomainB.com/direct-login/{login-token}. This has worked for a long time, until we wanted to use SameSite session cookies. With 'Strict' this won't work at all, so we decided to use 'Lax'.

Sadly 'Lax' also did not work. We found out that a back-end redirect (Location: App.DomainB.com/direct-login/token) did do the trick, but we have some Google Analytic events in the front-end of the DomainA.com response. I am not sure if we could move those GA events to the App.DomainB.com, but we would rather not if at all possible.

Another "trick" we tried was creating a back-end redirect controller in DomainA.com, and when the registration was successful, it would show the javascript redirect, but this time redirect to DomainA.com/redirect/token. Sadly trying to trick the browser had no success.

My question is how we could make the redirect from DomainA.com to the direct login URL from on App.DomainB.com, where App.DomainB.com sets a session cookie with SameSite attribute (e.g. Strict or Lax). Hopefully while keeping the GA events on DomainA.com.

If you guys have more questions, I'm happy to eloborate. Code snippets are possible if required.

TLDR; It seems that setting a samesite cookie when being redirected (via a client-side redirect) from another origin is blocked by most, if not all browsers. Is there any way to set the samesite cookie after being redirected from another origin?

EDIT: It turns out, SameSite=Lax does fix the problem.

R. Leroi
  • 19
  • 1
  • 1
  • 6
  • I was looking for a question in your post and couldn't find one. – Altimus Prime Dec 17 '20 at 15:13
  • im sorry, i will update my question – R. Leroi Dec 17 '20 at 15:16
  • @AltimusPrime I hope the question is clear now. Are you knowledgeable about this topic? – R. Leroi Dec 17 '20 at 15:23
  • I have experience with session cookies. What language are you using on the backend? What does DomainA have to do with session cookies on App.DomainB.com? When the user arrives at App.DomainB.com you set the cookie. What are you writing the server script in? Maybe https://stackoverflow.com/questions/39750906/php-setcookie-samesite-strict can help you if you're doing this in PHP. – Altimus Prime Dec 17 '20 at 21:21
  • I think the language is less relevant, it is more about browser behaviour when redirecting to another origin which sets a samesite cookie. (and there seems to be different behaviour between a Location-header and a frontend redirect, also varying per browser). It seems that setting a samesite cookie when being redirected from another origin is blocked by most, if not all browsers. – R. Leroi Dec 18 '20 at 13:21
  • The browser should respond according to standards. https://tools.ietf.org/html/rfc6265. The session cookie is issued by whatever server side application is running as a way of maintaining state between one request and another, meaning that the backend language matters a lot. Your comment leads me to believe that you don't understand was a session cookie is, but whatever the case I'm glad you resolved your problem. – Altimus Prime Dec 23 '20 at 03:36
  • I do understand what a session cookie is. The problem was that the cookie was in the http response cookie header but it was ignored by the browser. That's why I think the back-end language is irrelevant, since the http response is correct. This was a SameSite issue and rfc6265 does not cover SameSite. – R. Leroi Jan 14 '21 at 12:18

1 Answers1

-1

I think I didn't test it carefully enough, but it turns out that the first fix, using SameSite=Lax actually does fix the problem. The cross origin redirect is being made and the session cookie is set.

It only fails to set the session cookie when using SameSite=Strict.

I hope this answer will help other people with a similar problem.

R. Leroi
  • 19
  • 1
  • 1
  • 6