What is SameSite?
The SameSite attribute tells the browser when and how to use the cookie with first or third party applications. SameSite is used by most of the browsers to identify whether or not to allow cookies to be accessed.
The Values for SameSite attributes include
- Lax - enables only the first-party cookies to be accessed.
- Strict - enables only the first-party cookies and also does not allow request from an external site to access the cookies.
- None - enables the cookies to be accessed by third parties/external sites.
Update In Chrome:
Previously, if the SameSite attribute is not set, it was defaulted to ‘none’ - which allows the third-party to access the cookies. Now, if the SameSite attribute is not set, Chrome defaults to ‘lax’ which allows only the first party to access the cookies.
So, if you need your application cookies to be accessed by a third party then we need to explicitly specify SameSite as ‘none’. In this case, we also need to specify Secure. Only if we explicitly specify ‘SameSite: None; Secure’, the cookies are shared to the third party.
How do we resolve this issue in Rails?
To resolve this issue in Rails, we need to explicitly set the cookies with SameSite=None and Secure. To set the SameSite and Secure we need to modify the session_store.rb.
config/initializers/session_store.rb
Rails.application.config.session_store :cookie_store, {
:key => '_application_session',
:domain => :all,
:same_site => :none,
:secure => :true,
:tld_length => 2
}
The only catch is since we have specified the Secure attribute, the cookies will be shared only with the secured connection(HTTPS). In order to test this in your development environment, use ngrok.
That’s it! Your application will work perfectly in Chrome. Cheers!
Top comments (0)