Samesite Cookie Enforcement causing internal server error

Solved
Excursionist
33 4 1

I received Shopify's email about Google enforcing samesite cookie and implemented the fix for js/node per the Github example here. My code:

 

 29   server.use(¬
 30     createShopifyAuth({¬
 31       apiKey: SHOPIFY_API_KEY,¬
 32       secret: SHOPIFY_API_SECRET_KEY,¬
 33       scopes: ['read_products', 'write_products'],¬
 34       async afterAuth(ctx) {¬
 35         const { shop, accessToken } = ctx.session;¬
 36         ctx.cookies.set('shopOrigin', shop, { sameSite: 'none', secure: true }/*, { httpOnly: false }*/);¬                                                
 37 ¬
 38       },¬
 39     }),¬
 40   );¬

 

Now I'm getting an internal server error and am unable to access my app on Shopify. My server returns the following message: 

Error: Cannot send secure cookie over unencrypted connection 

I'm using ngrok https with the callbacks being https, and the shopify site itself is secured so I'm not sure what's happening here. Insight/guidance would be much appreciated. 

 

Cheers!

 

You are phoenix
0 Likes
Highlighted
Tourist
8 1 10

I did exactly same and getting the same error, I am testing using https:// and ngrok, not sure why I am still getting error,

0 Likes
Highlighted

Success.

Tourist
8 1 10

I figured, there are few more things that need to be configured to set samesite and secure options on the cookie.

Set additional option when setting koa-session:

 

server.use(session({ sameSite: 'none', secure: true }, server));

and when setting shopOrigin cookie pass the same options above

 

 

 

ctx.cookies.set("shopOrigin", shop, { httpOnly: false, sameSite: 'none', secure: true });

 

However, above will generate an error

Error: Cannot send secure cookie over unencrypted connection 

 to avoid the error set 

server.proxy = true 

 

more information https://www.npmjs.com/package/cookies scroll down to "Secure cookies" section

7 Likes
Highlighted
New Member
2 0 0
Hi Did you find any solution for it as I also received the same email and I have no clue what to do.
0 Likes
Highlighted
Tourist
8 1 10
See above response with additional code changes, that solves the issue
0 Likes
Highlighted
Excursionist
33 4 1

Hi @cap_ali,  @pateketu's solution does work for me. Try implementing it to see if it works for you as well.

You are phoenix
0 Likes
Highlighted
New Member
2 0 0

Sure, Thank You

0 Likes
Highlighted
New Member
2 0 2

Works perfectly! 

However, 2 cookies namely shopifyNonce and shopifyTestCookie still do not have SameSite attribute .. I believe koa-shopify-auth package is not adding those ... would it be an issue?

 

 


@pateketu wrote:

I figured, there are few more things that need to be configured to set samesite and secure options on the cookie.

Set additional option when setting koa-session:

 

server.use(session({ sameSite: 'none', secure: true }, server));

and when setting shopOrigin cookie pass the same options above

 

 

 

ctx.cookies.set("shopOrigin", shop, { httpOnly: false, sameSite: 'none', secure: true });

 

However, above will generate an error

Error: Cannot send secure cookie over unencrypted connection 

 to avoid the error set 

server.proxy = true 

 

more information https://www.npmjs.com/package/cookies scroll down to "Secure cookies" section


2 Likes
Highlighted
Tourist
8 1 10

@Subham_Bansal I have tested out my app in Chrome 80 beta and it works without those two cookies, not sure what shopifyNonce  does

0 Likes
Highlighted
Shopify Partner
11 0 5

Wanted to add that if you're running Nginx and still getting the error:

Error: Cannot send secure cookie over unencrypted connection

then you may have to add in code from this Server Fault answer:

https://serverfault.com/questions/797129/how-do-i-prevent-nginx-from-stripping-secure-cookies

Adam Tzagournis
Sound Onyx Inc
https://apps.shopify.com/partners/sound-onyx-inc
0 Likes