Applicationinsights-js: Manage SameSite Cookie Settings

Created on 3 Dec 2019  路  11Comments  路  Source: microsoft/ApplicationInsights-JS

I was wondering how I can set the SameSite option for the Application Insights cookies. Chrome will change the behavior of SameSite cookies in Feb 2020 (https://www.chromestatus.com/feature/5088147346030592). Is there any documentation how the cookie options are set depending on the browser agent?

Most helpful comment

The issue is that the URL must be https, otherwise we don't write the Secure; or SameSite=None settings. As SameSite requires Secure :-). and looking at the URL in the screenshot its http://localhost

All 11 comments

If you are on the latest version of the SDK, we are already setting SameSite to None. This only applies to new cookies, and existing cookies will not have the policy applied to them. From what I can tell the chrome change only blocks the "creation" of non-policy'ed cross site cookies.

Thank you for your information. As far as I know the cookie setting depends on the browser agent as there are incompatible clients: https://www.chromium.org/updates/same-site/incompatible-clients

It looks like the fix for legacy cookies (issue #1112) is not in the latest NPM release 2.3.1:

@neolefty The legacy cookie fix PR is (unreleased) patch for 1.0.20 iteration of the (legacy) SDK. For the 2.* version, the cookie change for this SDK is already released

I have an angular app using version 2.4.2 of the @microsoft/application-insights-web package and the SameSite issue doesn't happen in Chrome80 but I noticed that Edge Chromium Version 79.0.309.71 (Official build) (64-bit) is still writing no SameSite attribute that results in a warning (screenshot).

image

@hiraldesai Could you delete the cookie and see if it writes it with the correct property?

I had tried that before, tried it one more time. Same issue.

image

Was it also an issue on 2.3.1?

The issue is that the URL must be https, otherwise we don't write the Secure; or SameSite=None settings. As SameSite requires Secure :-). and looking at the URL in the screenshot its http://localhost

Ohhh, my bad! Sorry I should have figured it out on my own. Thank you for checking!

Version 2.4.3 is now published to CDN and NPM and addresses this the SameSite issues, it also includes checks for incompatible clients.

Was this page helpful?
0 / 5 - 0 ratings