即使将SameSite = None设置为Safari，Safari也不会发送cookie；安全的 [英] Safari not sending cookie even after setting SameSite=None; Secure

问题描述

我们的应用程序使用cookie来记住用户登录.我们进行的每个auth API调用，浏览器都会将服务器设置的HTTPonly cookie附加到API请求中，并进行身份验证.莫哈韦沙漠(Mojave)发布后，这种行为在野生动物园中似乎已被打破.

Our application uses cookies to remember user login. Every auth API call we make, the browser attaches server-set HTTPonly cookie with the API request and gets authenticated. This behaviour seems to be broken in safari after Mojave release.

我了解了safari实现的跨站点cookie安全性，我们的服务器团队在设置cookie时添加了SameSite=None;Secure.即使那样，它仍然不起作用.

I read about the cross-site cookie security implemented by safari and our server team added SameSite=None;Secure while setting the cookie. Even after that, it still doesn't work.

Set-Cookie: my_cookie=XXXXX; path=/; secure; HttpOnly; SameSite=None

请提供建议或提供实际找到解决方案的人员的链接.

Please advise or provide links from people who actually found a solution..

推荐答案

Mac OS 10.14上的Safari版本以及iOS 12上的所有浏览器均受

Versions of Safari on MacOS 10.14 and all browsers on iOS 12 are affected by this bug which means that SameSite=None is erroneously treated as SameSite=Strict, e.g. the most restrictive setting.

我已经在以下任一方面的 SameSite Cookie食谱中发布了一些指南.

I've published some guidance in SameSite cookie recipes on either:

• 使用两组Cookie来说明支持SameSite=None; Secure和不支持SameSite=None; Secure的浏览器.
• 嗅探用户代理针对不兼容的浏览器，但不提供满足这些要求.

• Using two sets of cookies to account for browsers that support SameSite=None; Secure and those that don't.
• Sniffing the user agent for incompatible browsers and not serving SameSite=None for those requests.

这篇关于即使将SameSite = None设置为Safari，Safari也不会发送cookie；安全的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！