toepoke
commented
3 months ago Think I've finally got to the bottom of this!
Closed toepoke closed 3 months ago
toepoke
commented
3 months ago Think I've finally got to the bottom of this!
Started to see this a few weeks ago, others have a similar experience.
The discussion below suggests a workaround of setting the SameSite cookie to None rather than Lax.
https://bugs.webkit.org/show_bug.cgi?id=255524
Lax is more secure and should only be used as a temporary workaround. Perhaps only target iPhone user-agents* and place behind a feature flag so we can easily revert to Lax should the issue be fixed in the future.
There seems to be some contention between setting SameSite to None or nothing at all may resolve the issue. Make the feature flag SameSite configuration item a value so we can easily experiment (i.e. have a known "Null" value we interpret as not setting SameSite at all).
* The problem manifests on Chome on iPhone too, probably because they have to use WebKit - though this may be changing, but only in the EU - ruling the out the UK