Cookies set with SameSite=strict are not sent in redirects
Categories
(Core :: Networking: Cookies, defect, P2)
Tracking
()
People
(Reporter: sean, Unassigned)
References
Details
(Whiteboard: [necko-triaged])
Comment 2•7 years ago
|
||
Comment 4•7 years ago
|
||
Comment 5•7 years ago
|
||
Updated•7 years ago
|
Comment 7•7 years ago
|
||
Comment 9•7 years ago
|
||
Reporter | ||
Comment 10•7 years ago
|
||
Comment 12•5 years ago
|
||
I recently tested this issue and I confirm that we store cookies received during a redirect.
This is the test I wrote:
const express = require('express')
var cookieParser = require('cookie-parser')
const app = express()
app.use(cookieParser())
app.get('/', (req, res) => {
if (req.query.wow) {
res.send('Cookie: ' + JSON.stringify(req.cookies));
return;
}
res.cookie('a', 'b', { domain: 'localhost', path: '/',secure: false, sameSite: 'strict'});
return res.redirect(302, 'http://localhost:3000/?wow=wow');
});
app.listen(3000);
Reopen the bug if you think this issue is still valid.
Comment 14•4 years ago
|
||
The problem still exists in Firefox 78.0.2.
Cookie is stored, but the redirect request does not contain the cookie being written.
This is fomr my server side code:
cookie := http.Cookie{
Name: "__mycookie",
Value: cookieValue,
Path: "/web",
Secure: true,
HttpOnly: true,
SameSite: http.SameSiteStrictMode,
//Expires: expire,
}
With these settings, Firfox does not send the written session cookie upon a redirect.
Comment 15•4 years ago
|
||
Same problem in Firefox 80.0
Comment 16•4 years ago
|
||
Hi,
I got this bug too on Firefox 81.1.4 running on Android 10.
Also I noticed that this bug vanishes when clearing cookies manually or visiting a different url than the one specified in the redirect path.
Steps to reproduce:
- Clear all nav data
- Visit url redirecting to same domain with set cookie samesite="strict"
- Check cookie is not sent in request headers
- Manually delete cookies for said domain
- Visit url from step 2
- Notice new cookie is set and correctly sent with redirection
Instead of manually deleting cookies, you can also go to a different url on the same domain and then come back to the redirection target. Works also when only changing query parameters.
Comment 17•4 years ago
|
||
I've set up a minimal example that reproduces this problem.
Main app: https://cookie-lab-app.vercel.app/
The main app will set a cookie called "state" to a guid value. It will then redirect to a fake authentication server, passing along a "state" querystring parameter that is passed back to an authentication callback page in the main app. On that page the value of the state cookie and the value of the querystring state parameter are displayed.
When sameSite=strict the state cookie is missing after being redirected back from the auth site to the main app in Firefox. Also iOS Safari. The cookie is only missing on the first page load after the redirect; refreshing the page causes the cookie to become available. (Chrome, Edge and Safari on macOS all send the cookie even on first page load.)
Setting sameSite=lax works around the issue. Also, the issue only reproduces when using https.
Comment 18•4 years ago
|
||
(In reply to anders from comment #17)
I've set up a minimal example that reproduces this problem.
Main app: https://cookie-lab-app.vercel.app/
The main app will set a cookie called "state" to a guid value. It will then redirect to a fake authentication server, passing along a "state" querystring parameter that is passed back to an authentication callback page in the main app. On that page the value of the state cookie and the value of the querystring state parameter are displayed.
When sameSite=strict the state cookie is missing after being redirected back from the auth site to the main app in Firefox. Also iOS Safari. The cookie is only missing on the first page load after the redirect; refreshing the page causes the cookie to become available. (Chrome, Edge and Safari on macOS all send the cookie even on first page load.)
Setting sameSite=lax works around the issue. Also, the issue only reproduces when using https.
Realising now that this is probably the expected behavior. A bit strange that the browsers behave so differently.
Comment 19•4 years ago
|
||
Please reopen this bug as it's not a duplicate. This is about a cookie supposed to be sent when it's not. The linked ticket is about a cookie not supposed to be send when instead it is. I'm experiencing behavior similar to the one described with FF 80 (at least), I'll post details shortly.
Comment 20•3 years ago
|
||
i also need to highly suggest to fix this bug as it is preventing secure oauth handling on mobile phones. e.g.
oauth provider redirects to
->oauth callback endpoint of your backend (sets cookie)
->redirects to frontend, another backend endpoint, whatever is handling the next steps (this endpoint however has no access to the cookie, although it was set on the same domain)
Comment 21•3 years ago
|
||
This is issue is happening since last week for us on the version before 97 and on 97. We have a 302 that do not pass the cookie.
If you try to go directly to the redirected URL at the right time, sometimes it work cookies are passed to the url. Maybe their is a race condition between the set cookie of the first request then the get cookie on the redirection.
Comment 22•3 years ago
|
||
(In reply to opiwer from comment #21)
This is issue is happening since last week for us on the version before 97 and on 97. We have a 302 that do not pass the cookie.
If you try to go directly to the redirected URL at the right time, sometimes it work cookies are passed to the url. Maybe their is a race condition between the set cookie of the first request then the get cookie on the redirection.
My assumption was wrong. Cookie was blocked by a solution called Prisma Cloud.
Comment 23•2 years ago
|
||
Can confirm this error is still happening, exactly in the scenario that @thies.eike described. I don't understand why it is marked as closed.
Description
•