Unable to set cookie on Safari (Works on Chrome) - cookies

Hi I have been creating my first MERN stack web application and deployed frontend and backend on separate domains.
Frontend (netlify) : example.netlify.app
Backend (heroku) : example.herokuapp.com
Github (this is my repository, just in case) : https://github.com/dbwjd5864/YumPlan
So getting cookies from Backend and storing in order to request another api calls with cookies worked fine with Chrome (I haven't tried yet with Firefox but I believe it works as well)
However, when I tested it with Safari, I can see cookies on response but it was not stored for later request, so I couldn't get authorized. However, when I uncheck Prevent cross-site tracking under Safari preferences, I could get cookies for the later API calls.
I guess this is a cors issue which came from Safari property. I spent so much time to find a way to solve it but I couldn't. Is there any way to make it possible for Safari users to get login and set token on different domains?
Or Should I just use the same domain, for example, I deploy the frontend and backend on Heroku together to use the same domain?
I really appreciate any help you can provide.

Related

Browser blocks cross domain iframe cookies

I have a forum-like component which I use in an iframe on other websites. This component uses django-allauth for authentication with Facebook and Twitter. Everything worked fine but now the authentication stopped working some time ago. When I look at the cookies in my browser, the cookies from Facebook/Twitter which are set by the iframe, are not loaded. Although, the cookies from the component itself are set.
The authentication still works when I load the iframe on a website which is on another subdomain of the component itself.
Tool on another subdomain (working):
https://shop-sandbox.adbuddy.be/discussie/
Tool on a totally different domain (not working):
https://mama-calinka.webbuddy.be/discussie/
I guess this problem had something to do with CORS-headers but nothing I've tried helped. Can someone help me with this problem please?
If this stopped working only very recently, it could be related to the Chrome's recent breaking change , that in case cookie's attribute SameSite is not explicitely set it defaults to SameSite = Lax, which prevents your browser in cross site requests to sent the cookie over.
I checked your https://shop-sandbox.adbuddy.be/discussie/ - there are many cookies with SameSite empty.
There could be a couple of more reasons, why a browser ignores a cookie in the request and I tried to sum all of them in my blog here

why browser isnt storing a cookie created in a subdomain, in the referer subdomain?

i'm facing a few problems when i authenticate usign cookies to store the token, those cookies should be delivered between subdomains, for example, i have my auth code deployed in a subdomain named services.mydomain.co and my frontend in subdomain named apps.mydomain.co,
when someone authenticates, then my auth code creates a cookie with the tag Domain like this: Domain=.mydomain.co in order to enable it to be delivered between all subdomains of mydomain.co, but the cruel reallity is that it is not working, even the browser isn't storing the cookie.
the cookie it's successful delivered in response header after authenticate but the browser isn't storing it.
im creating the cookie this way:Set-Cookie: myKey=myKeyValue;path=/;httpOnly;Max-Age=1555520000;Domain=.mydomain.co;sameSite=none
hope someone could geve me an advice and sorry for bad english.
From your example, you are setting SameSite=None without Secure. This is invalid and browsers (Chrome, Edge, Firefox, etc.) will begin rejecting this.
However, you should check DevTools in Chrome on your site to see the specific error. You can check both the Console and individual requests in the Network tab to see issues with a given cookie.
You can find more detail on https://www.chromium.org/updates/same-site/test-debug

Authentication with Postman on a SAML/shibboleth based website without using browser

I'm trying to understand the process of login to a website using the Network tab on Google Chrome because I have to use that process for autenticate accounts on an mobile application.
The login is completed when I reach the page "HomepageStudente.do", but I don't understand how to replicate all this on Postman. I've tried to do this:
Right-click on the SSO request
Copy as Curl (bash)
And it seems to work, but when I do the same thing with the second request (POST) I get a different message compared to the one on the Network tab.
Those 3 calls are based on automatic redirect by the browser, and I don't understand how to replicate it on Postaman. Is this possibile to do? Any other suggestion on how to use those requests for authenticate an account outside the website (example mobile app)?.
Thanks

Shopify app showing request blocked by an extension

I have deployed my nodejs app on aws ec2 and its working fine while I am using it on the browser normally. But when I am accessing it from inside my Shopify app then it is showing that the request has been blocked by an extension.
I tried to access it in incognito mode also but got the same result.
Can someone please help.
Shopify blocks all http requests. You may want to check if you are loading any URL in http
Update -
AWS provides secure URLs. Find it and use it instead!

Web API 2 authorized not working as expected

I'm experiencing the same issue as the one mentioned here, for which there was no conclusive answer: Asp.Net Owin authorized request works in Incognito mode but not "normal" Chrome
I am unable to comment on that question as I do not have the reputation to allow but was going to ask whether it is something to do with the fact that my project includes both Web Forms and Web API and there is a conflict going on with the authorization cookie.
Has anyone else come across this issue?
Thanks
For the benefit of anyone else with the same issue:
It was indeed due to forms authentication being enabled at the same time as OWIN bearer tokens.
If you are logged in via forms authentication, then try to call a web api end-point in the same browser, it uses the cookie information which gets recognized by Web Api authorization.
In incognito, there is no such cookie so behaves as expected.