We have a register page on DomainA.com, which - after successful registration, show a page with a JavaScript redirect to our application App.DomainB.com/direct-login/{login-token}. This has worked for a long time, until we wanted to use SameSite session cookies. With 'Strict' this won't work at all, so we decided to use 'Lax'.
Sadly 'Lax' also did not work. We found out that a back-end redirect (Location: App.DomainB.com/direct-login/token) did do the trick, but we have some Google Analytic events in the front-end of the DomainA.com response. I am not sure if we could move those GA events to the App.DomainB.com, but we would rather not if at all possible.
Another "trick" we tried was creating a back-end redirect controller in DomainA.com, and when the registration was successful, it would show the javascript redirect, but this time redirect to DomainA.com/redirect/token. Sadly trying to trick the browser had no success.
My question is how we could make the redirect from DomainA.com to the direct login URL from on App.DomainB.com, where App.DomainB.com sets a session cookie with SameSite attribute (e.g. Strict or Lax). Hopefully while keeping the GA events on DomainA.com.
If you guys have more questions, I'm happy to eloborate. Code snippets are possible if required.
TLDR; It seems that setting a samesite cookie when being redirected (via a client-side redirect) from another origin is blocked by most, if not all browsers. Is there any way to set the samesite cookie after being redirected from another origin?
EDIT: It turns out, SameSite=Lax does fix the problem.
