auth0-spa-js: Cookie auth0.is.authenticated will be soon rejected

Description

The developer console shows a warning that the auth0.is.authenticated cookie will be rejected in future browser versions. This cookie is set when the app calls getTokenSilently, loginWithPopup, or handleRedirectCallback.

In Firefox:

Cookie “auth0.is.authenticated” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies

In Chrome:

A cookie associated with a cross-site resource at http://auth0.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I believe this is due to the way the library is setting the auth0.is.authenticated cookie. It is not passing the secure or sameSite parameters to the downstream es-cookie set method

In src/Auth0Client.ts:

ClientStorage.save('auth0.is.authenticated', true, { daysUntilExpire: 1 });

and in src/storage.ts:

export const save = (
  key: string,
  value: any,
  options: ClientStorageOptions
) => {
  Cookies.set(key, JSON.stringify(value), {
    expires: options.daysUntilExpire
  });
};

Reproduction

Have the developer console open while your app calls Auth0Client’s getTokenSilently, loginWithPopup, or handleRedirectCallback.

Environment

Version of this library used: @auth0/auth0-spa-js @1.8.1
Version of the platform or framework used, if applicable:
Other relevant versions (language, server software, OS, browser): Firefox latest (76), Chrome latest

About this issue

Original URL
State: closed
Created 4 years ago
Reactions: 2
Comments: 16 (8 by maintainers)

Commits related to this issue

Add same site attribute to cookie storage. Closes: #459 — committed to ties-v/auth0-spa-js by ties-v 4 years ago
Add secure attribute to cookies if served over HTTPS (#472) * Add same site attribute to cookie storage. Closes: #459 * Add secure flag to cookies when served over HTTPS * Add samesite=None ... — committed to auth0/auth0-spa-js by ties-v 4 years ago

Most upvoted comments

Ok, digging into this, Firefox still does not set Lax by default when you do not specify the SameSite attribute when creating cookies, it will continue to set None (but then display a warning about it). However, this is behind a Firefox configuration flag (network.cookie.samesite.laxbydefault) and presumably they will enable this flag by default in future versions, just like most of the other modern browsers have done.

For now, the warning is just a warning and you can turn the flag on to verify that your application still works as intended. The warning will start to disappear in future versions of Firefox.

So, we believe that what we’ve done with SameSite in this SDK aligns with where browsers are going in this regard, even if the warning in the interim is not ideal.

stevehobbsdev on Jul 2, 2020

You can enable this behavior now with a flag, for me it still worked with the flag on (but I am no cookie expert).

submarines-and on May 12, 2020