Manage SameSite Cookie Settings

[audacity76]

I was wondering how I can set the SameSite option for the Application Insights cookies. Chrome will change the behavior of SameSite cookies in Feb 2020 (https://www.chromestatus.com/feature/5088147346030592). Is there any documentation how the cookie options are set depending on the browser agent?

[markwolff]

If you are on the latest version of the SDK, we are already setting SameSite to None. This only applies to new cookies, and existing cookies will not have the policy applied to them. From what I can tell the chrome change only blocks the "creation" of non-policy'ed cross site cookies.

[audacity76]

Thank you for your information. As far as I know the cookie setting depends on the browser agent as there are incompatible clients: https://www.chromium.org/updates/same-site/incompatible-clients

[neolefty]

It looks like the fix for legacy cookies (issue #1112) is not in the latest NPM release 2.3.1:

• Fix: add samesite=none to legacy cookies #1112 was published 2019-11-08
• NPM package v2.3.1 was published on 2019-11-07: https://www.npmjs.com/package/@microsoft/applicationinsights-react-js/v/2.3.1

[markwolff]

@neolefty The legacy cookie fix PR is (unreleased) patch for 1.0.20 iteration of the (legacy) SDK. For the 2.* version, the cookie change for this SDK is already released

[hiraldesai]

I have an angular app using version 2.4.2 of the @microsoft/application-insights-web package and the SameSite issue doesn't happen in Chrome80 but I noticed that Edge Chromium Version 79.0.309.71 (Official build) (64-bit) is still writing no SameSite attribute that results in a warning (screenshot).

[markwolff]

@hiraldesai Could you delete the cookie and see if it writes it with the correct property?

[hiraldesai]

I had tried that before, tried it one more time. Same issue.

[markwolff]

Was it also an issue on 2.3.1?

[MSNev]

The issue is that the URL must be https, otherwise we don't write the Secure; or SameSite=None settings. As SameSite requires Secure :-). and looking at the URL in the screenshot its http://localhost

[hiraldesai]

Ohhh, my bad! Sorry I should have figured it out on my own. Thank you for checking!

[MSNev]

Version 2.4.3 is now published to CDN and NPM and addresses this the SameSite issues, it also includes checks for incompatible clients.

[github-actions]

This issue has been automatically locked since there has not been any recent activity after it was closed. Please open a new issue for related bugs.