Chrome doesn't send cookies after redirect

2019-04-06 03:03发布

问题:

In node.js (using Hapi framework) I'm creating link for user to allow my app reading user account. Google handles that request and asks about giving permissions. Then Google makes redirect to my server with GET parameter as a response code and here I have an issue.

Google Chrome isn't sending cookie with session ID.

If I mark that cookie as a session cookie in cookie edit extension, it is sent. Same behavior in php, but php marks cookie as session when creating session, so it isn't problem. I'm using plugin hapi-auth-cookie, it creates session and handles everything about it. I also mark that cookie then in hapi-auth-cookie settings as non HttpOnly, because it was first difference, that I have noticed, when inspecting that PHP session cookie and mine in node.js. I have response 401 missing authentication on each redirect. If I place cursor in adress bar and hit enter, everything works fine, so it is an issue with redirect.

My question is basically, what may be causing that behavior. On the other hand I have to mention that firefox sends cookie after each request without any issues.

Headers after redirect (no cookie with session):

{
    "host": "localhost:3000",
    "connection": "keep-alive",
    "cache-control": "max-age=0",
    "upgrade-insecure-requests": "1",
    "user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
    "x-client-data": "CJS2eQHIprbJAQjEtskECKmdygE=",
    "x-chrome-connected": "id=110052060380026604986,mode=0,enable_account_consistency=false",
    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "accept-encoding": "gzip, deflate, sdch, br",
    "accept-language": "pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4"
}

Headers after hitting enter in adress bar (what will work fine):

{
    "host": "localhost:3000",
    "connection": "keep-alive",
    "cache-control": "max-age=0",
    "upgrade-insecure-requests": "1",
    "user-agent": "Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/54.0.2840.99 Safari/537.36",
    "accept": "text/html,application/xhtml+xml,application/xml;q=0.9,image/webp,*/*;q=0.8",
    "accept-encoding": "gzip, deflate, sdch, br",
    "accept-language": "pl-PL,pl;q=0.8,en-US;q=0.6,en;q=0.4",
    "cookie": "SESSID=very_long_string"
}

回答1:

This issue is caused by hapi-auth-cookie not dealing yet with isSameSite (new feature of Hapi). We can set it manually, eg.

const server = new Hapi.Server(
    connections: {
        state: {
            isSameSite: 'Lax'
        }
    }
);

But please consider that, by default you have 'Strict' option, and in many cases you may not want to change that value.



回答2:

A standalone demo of this issue: https://gist.github.com/isaacs/8d957edab609b4d122811ee945fd92fd

It's a bug in Chrome.