jwt-auth icon indicating copy to clipboard operation
jwt-auth copied to clipboard
verified publisher icon usefulteam

fix: Chrome rejects refresh_token cookie in cross-origin requests due to missing SameSite attribute.

Open lxbdr opened this issue 2 years ago • 1 comments

Chrome prohibits the refresh_token cookie from being set from cross-origin requests because it is missing the samesite attribute.

Things to consider:

  • This syntax requires a minimum PHP version of 7.3. Do we need a version check or workaround here to support a lower version?
  • The default for samesite would be Lax maybe this could even be set to Strict as the refresh_token is probably only used on subsequent requests in a first-party context when not cross-origin.

lxbdr avatar Apr 24 '23 09:04 lxbdr

Sorry for not getting to this earlier. 😬 Your proposed change looks good to me.

We could move forward with it – although Google is now stating that we should implement other/additional measures in the meantime:

  • https://web.dev/articles/samesite-cookies-explained
  • https://developers.google.com/privacy-sandbox/cookies

Do we want to investigate that here or in a separate issue/PR?

sun avatar Oct 02 '24 09:10 sun