auth0-spa-js: Cookie auth0.is.authenticated will be soon rejected
Description
The developer console shows a warning that the auth0.is.authenticated cookie will be rejected in future browser versions. This cookie is set when the app calls getTokenSilently
, loginWithPopup
, or handleRedirectCallback
.
In Firefox:
Cookie “auth0.is.authenticated” will be soon rejected because it has the “sameSite” attribute set to “none” or an invalid value, without the “secure” attribute. To know more about the “sameSite“ attribute, read https://developer.mozilla.org/docs/Web/HTTP/Cookies
In Chrome:
A cookie associated with a cross-site resource at http://auth0.com/ was set without the
SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=None
andSecure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
I believe this is due to the way the library is setting the auth0.is.authenticated cookie. It is not passing the secure
or sameSite
parameters to the downstream es-cookie set
method
In src/Auth0Client.ts:
ClientStorage.save('auth0.is.authenticated', true, { daysUntilExpire: 1 });
and in src/storage.ts:
export const save = (
key: string,
value: any,
options: ClientStorageOptions
) => {
Cookies.set(key, JSON.stringify(value), {
expires: options.daysUntilExpire
});
};
Reproduction
Have the developer console open while your app calls Auth0Client’s getTokenSilently
, loginWithPopup
, or handleRedirectCallback
.
Environment
- Version of this library used: @auth0/auth0-spa-js@1.8.1
- Version of the platform or framework used, if applicable:
- Other relevant versions (language, server software, OS, browser): Firefox latest (76), Chrome latest
About this issue
- Original URL
- State: closed
- Created 4 years ago
- Reactions: 2
- Comments: 16 (8 by maintainers)
Commits related to this issue
- Add same site attribute to cookie storage. Closes: #459 — committed to ties-v/auth0-spa-js by ties-v 4 years ago
- Add secure attribute to cookies if served over HTTPS (#472) * Add same site attribute to cookie storage. Closes: #459 * Add secure flag to cookies when served over HTTPS * Add samesite=None ... — committed to auth0/auth0-spa-js by ties-v 4 years ago
Ok, digging into this, Firefox still does not set
Lax
by default when you do not specify theSameSite
attribute when creating cookies, it will continue to setNone
(but then display a warning about it). However, this is behind a Firefox configuration flag (network.cookie.samesite.laxbydefault
) and presumably they will enable this flag by default in future versions, just like most of the other modern browsers have done.For now, the warning is just a warning and you can turn the flag on to verify that your application still works as intended. The warning will start to disappear in future versions of Firefox.
So, we believe that what we’ve done with SameSite in this SDK aligns with where browsers are going in this regard, even if the warning in the interim is not ideal.
You can enable this behavior now with a flag, for me it still worked with the flag on (but I am no cookie expert).