Set-Cookie Response Header Blocked by User Configuration

Asked 2 years ago, Updated 2 years ago, 136 views

Rails implements the login feature.

The authentication endpoint is giving the Set-Cookie response header, but the cookie is not saved with a warning that it has been blocked by user configuration.

As you can see in the image, I have given the cookie, path, secure, and SameSite attributes.

Image blocked by user settings

I changed the chrome setting to "Block Third Party Cookies in Secret Mode", so I changed it to "Accept All Cookies", and I confirmed that cookies are set without any problems.

secret
From
Change to the following
all cookies

The default setting is to block third-party cookies in secret mode, so I would like to keep this setting set.

If there is anything you can do to make this happen, please advise me.

Environment

  • Mac OS Big Sur 11.5.2(M1)
  • Google Chrome 103.0.5060.53 (Official Build) (arm64)

SP

  • iPhone12 iOS 15.5
  • Chrome 103.0.5060.63

Sequence Diagram
Processing Flow

<Addition
I believe that the reason why it is judged as a third-party cookie is that I cannot operate on the same DNS server because I host the front desk and the server.
Note: https://blog.cloud-acct.com/posts/u-nuxt-rails-safari-cookies/

---
※ 追Additional
I checked with multiple Chrome and it seems that there are versions where cookies are set and versions where cookies are not set.

  • Set: 103.0.5060.114 (Official Build) (x86_64)
  • Not set: 103.0.5060.53 (Official Build) (arm64)

ruby-on-rails google-chrome cookie

2022-09-29 22:26

1 Answers

I understand that the problem is that the cookie from the backend "Set-Cookie if authentication OK..." is considered third-party and rejected by the browser settings in the diagram below (the questioner added the user to the question).

System Configuration

I don't understand why you use secret mode, but I understand that it's a rule...

The default setting is to block third-party cookies in secret mode, so I would like to make sure that cookies are still set.If there is anything you can do to make this happen, please advise me.

If you keep the configuration shown in the diagram above, there will be no way.

I think the only solution is to have users change their browser cookie settings to Accept All Cookies, but that's probably not acceptable, so what I can come up with is:

(1) Redirect to "backend" in response from "front" in the figure above, request "backend" from the user as the first party, and receive "backend" as the first party cookie.

(2) Stop cookie-based authentication and replace it with token-based authentication.

...that's about it.

2022-09-29 22:26

If you have any answers or tips

Popular Tags
python x 4647
android x 1593
java x 1494
javascript x 1427
c x 927
c++ x 878
ruby-on-rails x 696
php x 692
python3 x 685
html x 656
Popular Questions

881 /usr/bin/google-chrome:symbol lookup error:/usr/bin/google-chrome: undefined symbol:gbm_bo_get_modifier

578 Understanding How to Configure Google API Key

1022 In Java servlet, when SHA-256 sends WW-Authenticate header for digest authentication, the client does not return the result.

911 When building Fast API+Uvicorn environment with PyInstaller, console=False results in an error

617 Uncaught (inpromise) Error on Electron: An object could not be cloned

© 2024 OneMinuteCode. All rights reserved.