Safari not sending cookie even after setting SameSite=None; Secure

javascript cookies safari setcookie samesite

Our application uses cookies to remember user login. Every auth API call we make, the browser attaches server-set HTTPonly cookie with the API request and gets authenticated. This behaviour seems to be broken in safari after Mojave release.

I read about the cross-site cookie security implemented by safari and our server team added SameSite=None;Secure while setting the cookie. Even after that, it still doesn't work.

Set-Cookie: my_cookie=XXXXX; path=/; secure; HttpOnly; SameSite=None

Please advise or provide links from people who actually found a solution..


Versions of Safari on MacOS 10.14 and all browsers on iOS 12 are affected by this bug which means that SameSite=None is erroneously treated as SameSite=Strict, e.g. the most restrictive setting.

I've published some guidance in SameSite cookie recipes on either:

  • Using two sets of cookies to account for browsers that support SameSite=None; Secure and those that don't.
  • Sniffing the user agent for incompatible browsers and not serving SameSite=None for those requests.

This is an issue also in Safari 14. Safari is not sending third-party cookies by default anymore. This is because they introduced Privacy Preference: "Prevent cross-site tracking" which is turned on by default. So if you set your cookies with SameSite=None; Secure they still don't be set and sent cross-domain.


The issue is not about Safari sending or not the cookie, it's about Safari not storing the cookie. This is related to a specific combination of cookie config, it's working with this setup for localhost

Set-Cookie: your=cookie; Domain=localhost; Path=/; Expires=Mon, 26 Dec 2022 12:53:02 GMT; HttpOnly; SameSite=Lax

and this setup for prod

set-cookie: your=cookie; Domain=something.com; Path=/; Expires=Thu, 22 Dec 2022 04:17:44 GMT; HttpOnly; Secure; SameSite=Lax

you need to include Domain on both and Secure for your prod (ssl) env. You can use different values for SameSite but Lax is what works for me


I tried disabling "Prevent cross-site tracking" option in MAC OS (i.e., Settings > Safari > Privacy & Security > Prevent Cross-Site Tracking - disabled) and iframe started to work. I know this is not a fix but might be a quick workaround for a short time.

Related

Namespaces and Operator Overloading in C++
What is the NDEBUG preprocessor macro used for (on different platforms)?
Setting extra bits in a bool makes it true and false at the same time
How to find Maximum of the following non-linear function of $x,y$ without using calculus
Prove the following three conditions are equivalent. 1 $u=cv,c>0$. 2 $(u|v)=||u||||v||$. 3 $||u+v||=||u||+||v||$.
Maximum number of Q-orthogonal vectors
Solve $\lfloor \sqrt x +\sqrt{x+1}+\sqrt{x+2}\rfloor=x$
Confusion in symbol of subset.
Recursive in a $\Sigma^0_2$-singleton implies recursive
On comparing cardinalities of sets by finding a map
I can't understand a definition and a theorem about vector spaces and linear (in)dependency of a set of vectors
Conditional Probability - truth/lie