即使在设置 SameSite=None 后，Safari 也不发送 cookie；安全的 [英] Safari not sending cookie even after setting SameSite=None; Secure

问题描述

我们的应用程序使用 cookie 来记住用户登录信息.我们进行的每个身份验证 API 调用，浏览器都会在 API 请求中附加服务器设置的 HTTPonly cookie 并进行身份验证.在 Mojave 发布后，这种行为似乎在 safari 中被打破了.

Our application uses cookies to remember user login. Every auth API call we make, the browser attaches server-set HTTPonly cookie with the API request and gets authenticated. This behaviour seems to be broken in safari after Mojave release.

我了解了 safari 实现的跨站点 cookie 安全性，我们的服务器团队在设置 cookie 时添加了 SameSite=None;Secure.即使在那之后，它仍然不起作用.

I read about the cross-site cookie security implemented by safari and our server team added SameSite=None;Secure while setting the cookie. Even after that, it still doesn't work.

Set-Cookie: my_cookie=XXXXX;路径=/；安全的;HttpOnly;SameSite=无

请从实际找到解决方案的人那里提供建议或提供链接..

Please advise or provide links from people who actually found a solution..

推荐答案

MacOS 10.14 上的 Safari 版本和 iOS 12 上的所有浏览器都受到 这个错误，这意味着 SameSite=None 被错误地视为 SameSite=Strict，例如最严格的设置.

Versions of Safari on MacOS 10.14 and all browsers on iOS 12 are affected by this bug which means that SameSite=None is erroneously treated as SameSite=Strict, e.g. the most restrictive setting.

我在 SameSite cookie 食谱中发布了一些指南:

I've published some guidance in SameSite cookie recipes on either:

• 使用两组 cookie 来说明支持 SameSite=None; 的浏览器；安全和那些不安全的.
• 嗅探用户代理对于不兼容的浏览器并且不提供SameSite=None 用于这些请求.

• Using two sets of cookies to account for browsers that support SameSite=None; Secure and those that don't.
• Sniffing the user agent for incompatible browsers and not serving SameSite=None for those requests.

这篇关于即使在设置 SameSite=None 后，Safari 也不发送 cookie；安全的的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！