Chrome 80 breaks Snap cookies

mikep345678 · January 30, 2020, 3:18pm

What browsers show this problem?
Chrome (cross-platform)
Please share an example project (if possible).
Any: attempt to sign in to Snap Cloud from non-berkeley.edu-hosted versions of Snap!
Describes the steps to reproduce this issue.
Open snap from amazingrobots.net/snap or other non-berkeley.edu-hosted versions of Snap! Watch Developer tools.
What does Snap! currently do?
Not allow sign-in to Snap! Cloud

A cookie associated with a cross-site resource at http://snap.berkeley.edu/ was set without the SameSiteattribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=NoneandSecure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.
What should Snap! do instead?
Allow sign-in to Snap! Cloud

mikep345678 · January 30, 2020, 6:13pm

More info: https://web.dev/samesite-cookies-explained/

cycomachead · January 30, 2020, 8:06pm

Thanks. I am aware and have been looking at this. We will do our best to fix this but it’s not easy given the safari bugs. We don’t have much development cycles right now.

mikep345678 · January 30, 2020, 8:34pm

Super! Thank you!

Mike

dardoro · February 1, 2020, 1:35am

Did You consider duplicating session cookie with different name and "SameSite=None;Secure" attributes? I hope that simple modification to Lapis source code will be sufficient (I have no live Lapis environment so it's only speculation).

lapis/session.lua

get_session = function(r, secret)
...
  local cookie = r.cookies[config.session_name]
  if not (cookie) then
    cookie = r.cookies[config.session_name .. "_samesite"]
  end

write_session = function(r)
...
  r.cookies[config.session_name] = mt.encode_session(s)
  r.cookies[config.session_name .. "_samesite"] = mt.encode_session(s) .. ";SameSite=None;Secure"

cycomachead · February 4, 2020, 5:58pm

Thanks!! Another app I develop went through the same discussions last week.

We've deployed the SameSite cookie for all users. This will cause problems on older Safari browsers. Later I will work on the 2nd cookie. Well, I need to decide where 2 cookies or detecting a user agent string is easier to manage. But both options are possible.

The actual fully compatible user agent checks are kind of extensive.... https://github.com/pschinis/rails_same_site_cookie/blob/master/lib/rails_same_site_cookie/user_agent_checker.rb

And yet, messing with Lapis internals has associated maintenance costs.

Anyway, we'll make sure this all works.

cycomachead · February 4, 2020, 10:31pm

Actually, didn't deploy the fix earlier, but I did just now and tested with amazingrobots and turned on all the cookie settings I could in Chrome just to give the most secure test and things are working.

The intention will still be to fix Safari and older browsers soon.

mikep345678 · February 5, 2020, 12:06am

Awesome! (Chrome's my only concern... : )

Thank you for your work on Snap! and onthis fix in particular!

Mike