eslachance – 17-36 Apr 4
Would anyone know why httponly, samesite: strict, cookie is showing as undefined , but only if I'm linking to this page from another website? doesn't matter if it's a local html file, local http server, or any other http/https server, it only works if I load the page manually via the URL, or if I link from an app that is not http-served, such as discord itself.
ME
<Maddie> [Evie.Codes][She/Her]•39d ago
ME
<Maddie> [Evie.Codes][She/Her]•39d ago
here's how it's set, specifically:
(if you want to test, visit https://f200ebd1ac6b.ngrok.app/ first, then https://f200ebd1ac6b.ngrok.app/cookie )
G
ghardin137•39d ago
Same site strict would do that
ME
<Maddie> [Evie.Codes][She/Her]•39d ago
But that sort of means that if I'm on google.com and click a link to discord.com, I'm logged out of discord because the cookie isn't being read by the backend? that just doesn't make sense to me, I'm really confused by this
G
ghardin137•39d ago
I think there’s some attributes you can put on the link from the remote server that would make it work
ME
<Maddie> [Evie.Codes][She/Her]•39d ago
But why would my own server, when receiving a GET request from a browser, regardless of the referer, be unable to know that a user was logged in or not, because it's not seeing a cookie on its own domain reated by itself?
It makes no sense to me that an external 3rd party website would be able to affect whether my backend is able to read a local samesite cookie
G
ghardin137•39d ago
The issue is that there’s an opening for XSS attacks
I think if you put rel=no opener on the link from the other site it avoids this
https://mathiasbynens.github.io/rel-noopener/
Basically if they don’t then the opening window can get access to the page that it opened
And that breaks samesite strict
ME
<Maddie> [Evie.Codes][She/Her]•39d ago
And there is literally nothing that can be done on my end to just... ignore this... and get access to my cookie on my domain? :ia_think_thonk:
If not, then this tells me that samesite strict cookies are utterly pointless for use with sessions and logins. And that's really baffling to me
G
ghardin137•39d ago
It’s blocking a potential XSS attack
Not really pointless
ME
<Maddie> [Evie.Codes][She/Her]•39d ago
But it does mean I can't use a samesite strict cookie as a login cookie, since external links make that cookie data unavailable to my backend
And just to be perfectly clear : it means this link here , https://f200ebd1ac6b.ngrok.app/cookie , a simple href, makes a cookie undefined when clicked from the discord.com front-end, but from the discord desktop app, it works fine and the cookie is defined. This is what you're saying is perfectly normal behavior?
(last confirmation I promise after that I'm convinced 😄 )
G
ghardin137•39d ago
Sorry. I had meetings.
Yeah strict explicitly calls this out on mdn. You’d have to use lax
G
ghardin137•39d ago
MDN Web Docs
Set-Cookie - HTTP | MDN
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later.
To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.
G
ghardin137•39d ago
Grr that didn’t help
G
ghardin137•39d ago
MDN Web Docs
Set-Cookie - HTTP | MDN
The Set-Cookie HTTP response header is used to send a cookie from the server to the user agent, so that the user agent can send it back to the server later.
To send multiple cookies, multiple Set-Cookie headers should be sent in the same response.
ME
<Maddie> [Evie.Codes][She/Her]•38d ago
Alright, thank you! Definitely gonna have to use lax unless I want to workaround it. :AUthumbsup:
G
ghardin137•38d ago
yeah you could possibly do like a 302 if you can detect that you're coming from another site
maybe
i'd have to test that one out
UU
Unknown User•36d ago