How to fix "This Set-Cookie was blocked due to user preferences" in Chrome? (Stackoverflow SSO Login / Ajax CORS request)

php jquery google-chrome cross-domain

27,436

Solution 1

If you can only replicate this in Incognito and Pierre Pretorius's answer didn't help, you are probably being hit by a change in Chrome 83 where third party cookies are blocked by default in Incognito mode. See https://angel.co/today/stories/chrome-83-arrives-with-redesigned-security-settings-third-party-cookies-blocked-in-incognito-21796

I don't think you can do much to change this, and Google intend to making this the default behaviour in the future: https://www.theverge.com/2020/1/14/21064698/google-third-party-cookies-chrome-two-years-privacy-safari-firefox

EDIT: Google will not implement this until at least 2023 https://blog.google/products/chrome/updated-timeline-privacy-sandbox-milestones/

Solution 2

The site that is passing the set-cookie HTTP header also needs to pass the SameSite as None and also Secure, else the cookie is not saved and is ignored.

Set-Cookie: qa_session=...; SameSite=None; Secure

Before you do, please read the security implications: https://blog.heroku.com/chrome-changes-samesite-cookie

PHP code example (source):

function setcookieSameSite($name, $value, $expire, $path, $domain, $secure, $httponly, $samesite="None")
{
  if (PHP_VERSION_ID < 70300) {
        setcookie($name, $value, $expire, "$path; samesite=$samesite", $domain, $secure, $httponly);
  }
  else {
      setcookie($name, $value, [
          'expires' => $expire,
          'path' => $path,
          'domain' => $domain,
          'samesite' => $samesite,
          'secure' => $secure,
          'httponly' => $httponly,
      ]);
   }
}

Solution 3

Select the first option in "Cookies and other site data" in Chrome settings which is "Allow all Cookies", It worked for me.

Check this Image

27,436

Avatar

Updated on February 22, 2022

Comments

Avatar about 2 years
It seems that the recent update of Chrome to version 83.0.4103.116 brought a change to the Cookie handling.

I am providing a single-sign-on for my users that signs them in into several websites. Similar to Stackoverflow I am doing an AJAX request with Jquery:
```
crossDomain: true, 
xhrFields: { withCredentials: true },
```
And in PHP I allow the domain:
```
// needed for cross-domain request
header('Access-Control-Allow-Origin: https://www.example.com');
header('Access-Control-Allow-Credentials: true');
```
However, now it does not work anymore.

In the dev console I found a new warning with the tooltip:

"This Set-Cookie was blocked due to user preferences"

How to fix this?

Update:

I just see that the Single-Sign-On of Stackoverflow is not working anymore either!

PS: A related question suggest to tell your users to change the Chrome settings, from my POV, I'd like to avoid this. Just imagine SO informing millions of users to enable the Cookies to do a single-sign-on...
- Avatar almost 4 years
  
  @Jay Blanchard: I specifically said it's not about changing the Chrome settings (which is an accepted answer in the other question). And it does not deal with single-sign-on, Ajax and PHP. - Please be so kind and remove the close flag.
- Jay Blanchard almost 4 years
  
  Did you research all of the duplicates and find that none pertained to you?
- Avatar almost 4 years
  
  Of course. E.g. stackoverflow.com/… or google google.com/… ... And again, just to point out the significance, all SO/Stackexchange users will be affected.
- IncredibleHat almost 4 years
  
  Have you determined that the cause is actually the user's setting, and you want to circumvent that setting. Or that the user is allowing them, but you are still getting that blocked message, and cannot figure out why its showing the blocked message when the user has not set to block cookies?
- Avatar almost 4 years
  
  I have the default settings: Allow sites to save and read cookie data ON. Block third parties OFF. The login worked until yesterday, now it stopped with the warning above. Try to login to SO and then head over to superuser.com (or another site where you have a second account). You are not logged-in anymore.
- IncredibleHat almost 4 years
  
  Appears that the clean-install default settings in Chrome are to block 3rd party cookies (all). Which may be a ramp up for their SameSite requirements in a later version update. I guess this is to protect users from themselves, which does pose a bit of a problem when chrome decides one of your own cookies is a 3rd party cookie (cookie set from a domain that is not the current domain).
- Funk Forty Niner almost 4 years
  
  Shouldn't this be asked on meta instead?
- Avatar almost 4 years
  
  Here is a screen recording that shows that the SSO login of Stackoverflow/Stackexchange/Superuser is not working anymore: github.com/q2apro/gifs/blob/master/…
- Avatar almost 4 years
  
  @FunkFortyNiner No, we need a technical solution. There will be many websites/developers running into the same issue in the next days.
- IncredibleHat almost 4 years
  
  However you are overlooking that you can still sign in on each site with the same user. So blocking 3rd party cookies is only negatively affecting 'ease of use' where you are automatically signed in on all, when you sign in on one. Users who want that ease, can relax their default cookie settings. However it does not impede them from still signing in on each site correctly.
- jessepinho almost 4 years
  
  Was this occurring in Incognito? Chrome has a separate setting for blocking third-party cookies in Incognito. I was hung up on this for hours today and then when I used a regular (non-Incognito) window, it worked fine.
- Avatar almost 4 years
  
  It happens in standard mode and incognito mode.
Victor over 3 years

Still, there is something that my browser does not like. The cookie comes as this: Set-Cookie: JSESSIONID=somevaluehere; path=/my-site-path;SameSite=None;Secure but the browser still says that it doesn't want to set it. Note: the re/rsp is within an iframe.
Victor over 3 years

I have fixed it: the issue was that I was testing in Incognito mode in Chrome. Also, there was a default setting in Chrome that was specifying that Incognito mode should not accept 3rd Party cookies. So, I have enabled the option and the cookies are now saved.
Nadir over 3 years

for PHP 5.6.40 If you have no problem rebuilding the PHP binary, I managed to port this feature from PHP 7.3 to PHP 5.6.40, and there is now a pull request. See full answer here: stackoverflow.com/a/64960472/1641763