Geek Answers Handbook

Chrome does not send cookies after redirecting

In node.js (using the Hapi framework) I am creating a link for the user to allow my application to read the user account. Google processes this request and asks for permissions. Then Google redirects to my server with the GET parameter as the response code, and here I have a problem.

Google Chrome does not send a cookie with a session ID.

If I mark this cookie as a session cookie in the cookie extension, it is sent. The same behavior in php, but php marks the cookie as a session when creating a session, so this is not a problem. I use the hapi-auth-cookie plugin, it creates a session and processes everything about it. I also mark this cookie in the hapi-auth-cookie settings as not HttpOnly, because this was the first difference that I noticed when checking this PHP cookie and mine in node.js. I have a 401 response that there is no authentication with every redirect. If I put the cursor in the address bar and press enter, everything works fine, so this is a redirect problem.

My question is mainly what could be causing this behavior. On the other hand, I have to mention that firefox sends a cookie after every request without any problems.

Headers after redirection (without session cookies):

{ "host": "localhost:3000", "connection": "keep-alive", "cache-control": "max-age=0", "upgrade-insecure-requests": "1", "user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36", "x-client-data": "CJS2eQHIprbJAQjEtskECKmdygE=", "x-chrome-connected": "id=110052060380026604986,mode=0,enable_account_consistency=false", "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "accept-encoding": "gzip, deflate, sdch, br", "accept-language": "pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4" }

Headers after getting into the address bar (which will work fine):

 { "host": "localhost:3000", "connection": "keep-alive", "cache-control": "max-age=0", "upgrade-insecure-requests": "1", "user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36", "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8", "accept-encoding": "gzip, deflate, sdch, br", "accept-language": "pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4", "cookie": "SESSID=very_long_string" }
+7
redirect google-chrome cookies hapijs
source share
2 answers

This problem is caused by the fact that hapi-auth-cookie does not deal with isSameSite (new Hapi function). We can install it manually, for example.

 const server = new Hapi.Server( connections: { state: { isSameSite: 'Lax' } } );

But keep in mind that by default you have the 'Strict' option, and in many cases you may not want to change this value.

+4
source share

A separate demonstration of this problem: https://gist.github.com/isaacs/8d957edab609b4d122811ee945fd92fd

This is a bug in Chrome.

+2
source share

More articles:


All Articles