<Alterion.Dev>
<Alterion.Dev>9mo ago

eslachance – 17-36 Apr 4

Would anyone know why httponly, samesite: strict, cookie is showing as undefined , but only if I'm linking to this page from another website? doesn't matter if it's a local html file, local http server, or any other http/https server, it only works if I load the page manually via the URL, or if I link from an app that is not http-served, such as discord itself.
17 Replies
<Alterion.Dev>
<Alterion.Dev>OP9mo ago
No description
<Alterion.Dev>
<Alterion.Dev>OP9mo ago
here's how it's set, specifically:
app.get('/', (req, res) => {
// read cookies
console.log(req.cookies);

let options = {
maxAge: 1000 * 60 * 15, // would expire after 15 minutes
sameSite: 'strict',
secure: true,
httpOnly: true, // The cookie only accessible by the web server
};

// Set cookie
res.cookie('name', 'express');
res.cookie('securecookie', 'issecure', options);
res.send('cookies set, <a href="https://f200ebd1ac6b.ngrok.app/cookie">check it</a>');
});
app.get('/', (req, res) => {
// read cookies
console.log(req.cookies);

let options = {
maxAge: 1000 * 60 * 15, // would expire after 15 minutes
sameSite: 'strict',
secure: true,
httpOnly: true, // The cookie only accessible by the web server
};

// Set cookie
res.cookie('name', 'express');
res.cookie('securecookie', 'issecure', options);
res.send('cookies set, <a href="https://f200ebd1ac6b.ngrok.app/cookie">check it</a>');
});
(if you want to test, visit https://f200ebd1ac6b.ngrok.app/ first, then https://f200ebd1ac6b.ngrok.app/cookie )
ghardin137
ghardin1379mo ago
Same site strict would do that
<Alterion.Dev>
<Alterion.Dev>OP9mo ago
But that sort of means that if I'm on google.com and click a link to discord.com, I'm logged out of discord because the cookie isn't being read by the backend? that just doesn't make sense to me, I'm really confused by this
ghardin137
ghardin1379mo ago
I think there’s some attributes you can put on the link from the remote server that would make it work
<Alterion.Dev>
<Alterion.Dev>OP9mo ago
But why would my own server, when receiving a GET request from a browser, regardless of the referer, be unable to know that a user was logged in or not, because it's not seeing a cookie on its own domain reated by itself? It makes no sense to me that an external 3rd party website would be able to affect whether my backend is able to read a local samesite cookie
ghardin137
ghardin1379mo ago
The issue is that there’s an opening for XSS attacks I think if you put rel=no opener on the link from the other site it avoids this https://mathiasbynens.github.io/rel-noopener/ Basically if they don’t then the opening window can get access to the page that it opened And that breaks samesite strict
<Alterion.Dev>
<Alterion.Dev>OP9mo ago
And there is literally nothing that can be done on my end to just... ignore this... and get access to my cookie on my domain? :ia_think_thonk: If not, then this tells me that samesite strict cookies are utterly pointless for use with sessions and logins. And that's really baffling to me
ghardin137
ghardin1379mo ago
It’s blocking a potential XSS attack Not really pointless
<Alterion.Dev>
<Alterion.Dev>OP9mo ago
But it does mean I can't use a samesite strict cookie as a login cookie, since external links make that cookie data unavailable to my backend And just to be perfectly clear : it means this link here , https://f200ebd1ac6b.ngrok.app/cookie , a simple href, makes a cookie undefined when clicked from the discord.com front-end, but from the discord desktop app, it works fine and the cookie is defined. This is what you're saying is perfectly normal behavior? (last confirmation I promise after that I'm convinced 😄 )
ghardin137
ghardin1379mo ago
Sorry. I had meetings. Yeah strict explicitly calls this out on mdn. You’d have to use lax
ghardin137
ghardin1379mo ago
MDN Web Docs
Set-Cookie - HTTP | MDN
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.
ghardin137
ghardin1379mo ago
Grr that didn’t help
ghardin137
ghardin1379mo ago
MDN Web Docs
Set-Cookie - HTTP | MDN
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later. To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.
<Alterion.Dev>
<Alterion.Dev>OP9mo ago
Alright, thank you! Definitely gonna have to use lax unless I want to workaround it. :AUthumbsup:
ghardin137
ghardin1379mo ago
yeah you could possibly do like a 302 if you can detect that you're coming from another site maybe i'd have to test that one out
reactibot
reactibot9mo ago
This thread hasn’t had any activity in 36 hours, so it’s now locked. Threads are closed automatically after 36 hours. If you have a followup question, you may want to reply to this thread so other members know they're related. https://discord.com/channels/102860784329052160/565213527673929729/1225499200603558020

Did you find this page helpful?