Problem with SameSite=None on Google Chrome

Hi,

I actually have a problem with the update of google chrome: https://www.chromium.org/updates/same-site
Hope somebody can help me.

First, I will describe a bit about my problem:
I have a login page that included my consent app inside an iframe. Today, I cannot login anymore. Ory hydra always returns an error: “Noo CSRF value…”.
I research and see the article: https://web.dev/samesite-cookie-recipes/. I understand it means my consent app is a third-party and I have to mark the cookie session with SameSite=None; Secure.

I continue to research and luckily, Ory Hydra has supported “samesite” config.
So I add more 2 configs: serve.cookies.same_site_mode=none, serve.cookies.same_site_legacy_workaround=true.

Now I can login success. But I still receive some report cannot login with “No CSRF error…”. They have to clear the cookie, try login again and it’s work then.

Somebody can explain me about this? What can I do to fix the issue completely?
I’m using OryHydra docker version 1.5.2.

Thanks.

This might help: https://github.com/ory/hydra/issues/1844#issuecomment-666283875

2 Likes

Thanks for your help. I try to set config “serve.cookies.same_site_mode=Lax” and it’s work.