Hook for modifying session cookie

asdrubalivan

Hello! I have a community with nodebb hosted in a domain like forum.com, and a blog in a different domain called blog.com. From the blog I perform API requests to the forum using a plugin. I use credentials: 'include' to perform such queries. They work correctly on chrome and firefox, however I'm getting the following warning on chrome

A cookie associated with a cross-site resource at http://forum.com/ was set without the `SameSite` attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I've been trying using the hook action:user.loggedIn setting the session cookie as follows

// This function is called with the hook I mentioned before
Comments.onLoggedIn = function (params) {
    console.log('params',params, arguments)
    params.req.session.cookie.sameSite = "none"; // Also tried with "lax"
 }

but the warning doesn't disappear and in fact when I try to make queries to NodeBB's api req.user appears undefined. Note that I need req.user in order to make the API requests.

If you have any questions or need some clarification I'm happy to post them here.

Thanks in advance

julian

Hi @asdrubalivan! That's an interesting conundrum you've got there...

Some history in SameSite -- we only implemented it for the site cookie, but this extends only to read-only routes. We didn't even specify it before, which would naturally fall back to Lax.

However, it seems last last year, @oplik0 used sameSite: 'Strict' for API routes, or at least, those requiring the CSRF token.

So I wanted to ask what routes you're attempting to hit, where you're running into this issue...

gotwf

@julian said in Hook for modifying session cookie:

Hi @asdrubalivan! That's an interesting conundrum you've got there...
...
However, it seems last last year, @oplik0 used sameSite: 'Strict' for API routes, or at least, those requiring the CSRF token.

Not a dev so don't follow most of this but my eyes did pick out the cross site and strict, and yes, necessary for CSRF. Seems trying to work around that would be less than advisable? I guess it ultimately depends on your security stance and cost/benefit but I'd be wary of circumventing. It's a freakin' war zone out there. And an election year for U.S. so expect community and blogger sites to be targeted vigorously and relentlessly.

My $0.02. We now return you to your regularly scheduled programming...