matthewp
commented
1 year ago Hi @seancdavis which part do you think Astro is doing wrong here?
Closed seancdavis closed 1 year ago
matthewp
commented
1 year ago Hi @seancdavis which part do you think Astro is doing wrong here?
seancdavis
commented
1 year ago Hey @matthewp — The home page looks for a cookie called test-cookie.
const cookie = Astro.cookies.get('test-cookie');Another page (set-cookie), sets the same cookie then redirects to the home page.
Astro.cookies.set('test-cookie', 'Cookie is Set', {
path: '/',
maxAge: 1000 * 60 * 60 * 24 * 7, // 7 days
secure: true,
httpOnly: true,
sameSite: 'strict',
});
return Astro.redirect('/');Then the process repeats. If accessing /set-cookie by clicking on an internal link, everything works fine. If first landing on the /set-cookie page from an external source, the home page doesn't properly retrieve the cookie. const cookie = Astro.cookies.get('test-cookie'); has a value of undefined.
seancdavis
commented
1 year ago There's a related issue in that this same example isn't able to set cookies on Safari at all. Happy to log separately if it seems like a separate issue.
seancdavis
commented
1 year ago Hey @matthewp: Checking in — any more investigation needed to triage this issue?
matthewp
commented
1 year ago I did take a look. If you remove the sameSite restriction it works. I'm not an expert on cookies, but the below headers are part of the request for /set-cookie. My suspicion is that the browser ignores the cookie because of these headers and the sameSite config option being used.
I don't think this has anything to do with Astro, so closing. If you can create a reproduction that takes 3rd party sites out of the equation please file a new issue.
seancdavis
commented
1 year ago That was it! Switched sameSite to lax and it fixes the issue.
seancdavis
commented
1 year ago I was also able to resolve the issue with Safari. Although I couldn't find any official/external explanation, after some trial and error, it seems like the secure option must match the protocol for Safari.
By setting secure conditionally based on environment, it seems to now be setting the cookies as I expect.
I tested this against an https URL and set secure: true, also with success. (And with sameSite: 'lax')
Astro Info
Example project:
If this issue only occurs in one browser, which browser is a problem?
Different issues in different browsers, noted in example README
Describe the Bug
I have a custom auth solution that is designed to work like this:
When I mimic the email behavior by printing a link on the screen, everything works fine.
But when I mimc an email service (using Nodemailer + Ethereal in the test), I run into a consistent issue. Flow is like this:
This is all happening locally and with SSR. I haven't tried deploying it yet.
What's the expected result?
The cookie should be able to be set manually (which is a problem in Safari).
In Chromium browsers, the (server) cookie should be able to be set, then the page redirected, with the ending route able to retrieve the cookie.
Link to Minimal Reproducible Example
https://github.com/seancdavis-stackbit/astro-bug-recreation
Participation