0

Chrome Browser Version: 126.0.6478.127 (Official Build) (arm64)

Used technologies:

  • ClientSide - Html, React.js, Javascript
  • ServerSide - GoLang

What I tried:

Step 1:

Setting a few cookies with values using javascript and using SameSite and Secure policies upon landing on the first-party site. Added cookies, for example:

Cookie A = 'value 1'
Cookie B = 'value 2'
Cookie C = 'value 3'

enter image description here

Step 2:

Performing OAuth login with Microsoft/Google (third-party sites) to authenticate the user.

Step 3:

After authenticating, a redirection occurs from the respective third-party site to the first-party site. The referrer in the request header is the third-party site. Due to this, the Chrome browser does not set the cookies in the request header, which handles the user login with those cookies (Cookie A, Cookie B, Cookie C). When reading those cookies from the server side, not all the cookies are available. Randomly, one or two cookies are missing.

Chrome has restricted third-party cookies by default for 1% of Chrome Stable clients and 20% of Canary, Dev and Beta clients

Ref: https://developers.google.com/privacy-sandbox/3pcd

Will restricted third-party cookies affect the flow or not? If not, what could be the possible root cause of the issue and the possible better solution for this?

I appreciate your help.

Thanks in advance.

Improve this question
3
  • "using SameSite" - set to which value? Commented Jul 16, 2024 at 12:22
  • Default for SameSite, when you don't specify it, is Lax. Commented Jul 16, 2024 at 12:53
  • I don't understand how you "handle the user login". (1) Your first-party site must receive some kind of assertion from the third-party site, how is that done? (2) Does the redirection happen via GET or POST request? In the POST case, cookies would be sent only if they have SameSite=None. In the GET case, they would be sent unless they have SameSite=Strict. Commented Jul 19, 2024 at 11:48
Related questions
45
This Set-Cookie didn't specify a "SameSite" attribute and was default to "SameSite=Lax" - Localhost
2
Cypress blocks cookies sent from third party response when the same site attribute is not set. How to store such blocked cookie values and use them
1
What happens to legacy cookies that were set before once Same Site, Secure Changes are rolled out by Chrome
Load 7 more related questions Show fewer related questions

0

Reset to default

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.