Hydra: Cookie issue with google chrome Version 84.0.4147.125 (http can't set cookie for browser) request_forbidden.

Created on 14 Aug 2020  路  2Comments  路  Source: ory/hydra

Hello!
I having a issue with google chrome version 84.0.4147.125. The browsers can't set the cookie in headers response from ory/hydra (public port).

When I request to below url and login success. Hydra server response error request_forbidden.

Request:
https://<host_name>/oauth2/auth?client_id=web-client&redirect_uri=https%3A%2F%2F<my_hostname>%2Fcallback&scope=openid%20offline&response_type=code&state=ddg9w3hxk5q9semh5pu48c

Respose: request_forbidden

Server LOG: 
time="2020-08-14T06:52:29Z" level=error msg="An error occurred" debug="No CSRF value available in the session cookie" description="The request is not allowed" error=request_forbidden hint="You are not allowed to perform this action.",

But it work good on chromium and firefox.Look like chrome can't set the Cookie oauth2_authentication_csrf to browser. This is my screen shot on 3 browsers.

Chrome with warning:
chrome

Chromium and firefox work good.
chromium
firefox

Most helpful comment

Thank you for the report, we are currently working on a fix. Here's our report for now.


Google Chrome changed the behavior of SameSite=None so that it is not possible to use
this SameSite mode without the HTTP Cookie secure flag.

If you run a version of ORY Hydra 1.6 and below and experience this issue:

  • Make sure to not use the --dangerous-force-http flag
  • Set configuration value serve.cookies.same_site_mode or environment variable SERVE_COOKIES_SAME_SITE_MODE to
    Lax - this happens automatically for ORY Hydra 1.7+ when running in HTTP mode.

All 2 comments

Thank you for the report, we are currently working on a fix. Here's our report for now.


Google Chrome changed the behavior of SameSite=None so that it is not possible to use
this SameSite mode without the HTTP Cookie secure flag.

If you run a version of ORY Hydra 1.6 and below and experience this issue:

  • Make sure to not use the --dangerous-force-http flag
  • Set configuration value serve.cookies.same_site_mode or environment variable SERVE_COOKIES_SAME_SITE_MODE to
    Lax - this happens automatically for ORY Hydra 1.7+ when running in HTTP mode.
Was this page helpful?
0 / 5 - 0 ratings