5
votes

Recently due to Chrome 80, it has been noted that cookies without the SameSite=None and Secure attributes will not get set in Chrome browsers.

Currently, I use the Flask-JWT-Extended library to generate my cookies for my backend, but even though it has the samesite=None in the set_cookies function the cookies still do not get set in the browser. I sent the request with Postman and viewed my cookie and got the below cookie:

access_token_cookie=my_token; Path=/; Domain=127.0.0.1; Secure; HttpOnly;

I have tried manually setting the headers with:

resp.headers.add('Set-Cookie', 'access_token_cookie=bar; SameSite=None; Secure')

But even after setting the cookie manually, I still get the following cookie with no SameSite attribute:

access_token_cookie=bar; Path=/user; Domain=127.0.0.1; Secure;

I'm wondering if there is a way to set the SameSite attribute within the cookies right now.

Edit This is the code that I have for the site.

  • List item
        access_token = create_access_token(identity=user.username)
        resp = jsonify({"username": user.username,
                        "user_type": user.roles
                        })
        resp.headers.add('Set-Cookie', 'access_token_cookie=' + access_token + '; SameSite=None; Secure')
        return resp

2

2 Answers

1
votes

Chrome ignores cookies marked as Secure that was received via insecure channel. So, you can either test this via https or remove the Secure attribute

Chrome ignores cookies received over insecure channel with attribute Secure

0
votes

In order to do this, I use make_response without any Flask plugins:

from flask import make_response, render_template
resp = make_response(render_template("index.html"))
resp.set_cookie('pwd', pwd, samesite="Lax")

The important part is resp.set_cookie('pwd', pwd, samesite="Lax"). The samesite argument lets you set the SameSite of the cookie.