4

Chrome is changing the default value of SameSite cookie attribute from None to Lax as of its version 80. My site is embedded to another site using an iframe and the login session of my site is handled by express-session.

For new browsers the solution is just to set the session cookie to SameSite=None; Secure which express-session already supports. However, some clients are incompatible for the SameSite attribute and would stop working.

One proposed solution to the problem is to use two cookies, one for new clients and one for the old incompatible clients:

Set-cookie: session-id=value; SameSite=None; Secure
Set-cookie: session-id-legacy=value; Secure

Is it possible to use the proposed two-cookie solution to the problem or is there a better way in express-session to also provide support to old incompatible browsers?

Samuli Asmala
  • 1,755
  • 18
  • 24
  • 1
    Adding this as a comment, since it's not really a complete answer. I would suggest looking at creating some kind of middleware to coalesce the cookies before they reach the `express-session` handler. You can see how I'm doing this kind of thing in a Cloudflare worker here: https://github.com/GoogleChromeLabs/samesite-examples/blob/cloudflare-worker/cloudflare-worker.md – rowan_m Feb 12 '20 at 11:30
  • Thanks, that might be the best approach. It probably needs to be a wrapper middleware since the cookies need to be handled both before they reach the `express-session` but also after the `express-session` has set the cookie for a new session. – Samuli Asmala Feb 21 '20 at 08:00

0 Answers0