Cross-Site and Same-Site Cookie Context

7
Hi Mendix community, Our application running under Mx7.23.11 and Chrome 80 started few weeks ago to show a prompt message “This application requires cookies to be enabled”. The console shows the following warning. “ A cookie associated with a cross-site resource at http://ourwebsite.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.” After reading the documentation, Chrome 80 started to enforce the rule no Cross-Site cookie unless it is explicitly set with ‘SameSite=None’ and ‘Secure’ options. Is there any setting possible to force Mendix to apply the ‘SameSite’ and ‘Secure’ on the cookies ? If not, is there any update scheduled for Mendix7.23.11 to fix the issue?
asked
3 answers
1

Just ran into the same (frustrating) issue.

 

In your Chrome browser type: 

chrome://flags

 

On the resulting page, search for ‘samesite’.

Change the setting for “SameSite by default cookies” from ‘Default’ to ‘Disabled’.

answered
1

I noticed there was a fix for this (or a very similar) issue in Mendix 8.11.1:

Besides any cookies coming from the Runtime, the client manages two particular cookies: originURI and a test cookie that is used to reliably determine whether cookies are enabled in the browser. In line with the stricter default value for the SameSite cookie attribute (as enforced by the latest versions of Google Chrome and upcoming versions of Mozilla Firefox), we now set the SameSite attribute to None and the Secure attribute to true, in case the app is being served over https. For apps served over http, there are no changes.

If this is an issue for you, I would suggest submitting a ticket to Mendix to fix this: in a corporate environment, you can’t expect users to manually change their Chrome settings.

answered
1

I have fixt it by updating to Mendix 8.12.1.

They have done a fix for this issue.
https://docs.mendix.com/releasenotes/studio-pro/8.12#8121

 

answered