eslachance – 17-36 Apr 4
Would anyone know why httponly, samesite: strict, cookie is showing as undefined , but only if I'm linking to this page from another website? doesn't matter if it's a local html file, local http server, or any other http/https server, it only works if I load the page manually via the URL, or if I link from an app that is not http-served, such as discord itself.
17 Replies
here's how it's set, specifically:
(if you want to test, visit https://f200ebd1ac6b.ngrok.app/ first, then https://f200ebd1ac6b.ngrok.app/cookie )
Same site strict would do that
But that sort of means that if I'm on google.com and click a link to discord.com, I'm logged out of discord because the cookie isn't being read by the backend? that just doesn't make sense to me, I'm really confused by this
I think there’s some attributes you can put on the link from the remote server that would make it work
But why would my own server, when receiving a GET request from a browser, regardless of the referer, be unable to know that a user was logged in or not, because it's not seeing a cookie on its own domain reated by itself?
It makes no sense to me that an external 3rd party website would be able to affect whether my backend is able to read a local samesite cookie
The issue is that there’s an opening for XSS attacks
I think if you put rel=no opener on the link from the other site it avoids this
https://mathiasbynens.github.io/rel-noopener/
Basically if they don’t then the opening window can get access to the page that it opened
And that breaks samesite strict
And there is literally nothing that can be done on my end to just... ignore this... and get access to my cookie on my domain? :ia_think_thonk:
If not, then this tells me that samesite strict cookies are utterly pointless for use with sessions and logins. And that's really baffling to me
It’s blocking a potential XSS attack
Not really pointless
But it does mean I can't use a samesite strict cookie as a login cookie, since external links make that cookie data unavailable to my backend
And just to be perfectly clear : it means this link here , https://f200ebd1ac6b.ngrok.app/cookie , a simple href, makes a cookie undefined when clicked from the discord.com front-end, but from the discord desktop app, it works fine and the cookie is defined. This is what you're saying is perfectly normal behavior?
(last confirmation I promise after that I'm convinced 😄 )
Sorry. I had meetings.
Yeah strict explicitly calls this out on mdn. You’d have to use lax
MDN Web Docs
Set-Cookie - HTTP | MDN
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later.
To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.
Grr that didn’t help
MDN Web Docs
Set-Cookie - HTTP | MDN
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later.
To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.
Alright, thank you! Definitely gonna have to use lax unless I want to workaround it. :AUthumbsup:
yeah you could possibly do like a 302 if you can detect that you're coming from another site
maybe
i'd have to test that one out
This thread hasn’t had any activity in 36 hours, so it’s now locked.
Threads are closed automatically after 36 hours. If you have a followup question, you may want to reply to this thread so other members know they're related. https://discord.com/channels/102860784329052160/565213527673929729/1225499200603558020