SameSite Cookie via .htaccess file

JAS_Technology
Shopify Expert
80 0 47

I'm dropping this here as nice little tweak you can make to your app if you need to quickly/easily comply with Chrome's "SameSite=None; Secure" requirement. If your app has an .htaccess file it can actually handle cookie manipulation with a RegEx. This single line allowed me to get this requirement met in my app and go about the rest of my week 🙂 

 

Header always edit Set-Cookie (.*) "$1; SameSite=None; Secure"

 

Hope this helps. Take care all.

Happy to hear about your crazy ideas.
Replies 25 (25)
Naren1
Shopify Partner
44 0 30

I came here to post the same tip 🙂 but you pipped me to it. Thanks Jon.

I wrote a small blogpost with some extra details

https://grailslog.wordpress.com/2020/01/23/setting-the-samesite-attribute-on-the-jsessionid-cookie-f...

 

Jivan_Suhagiya
Shopify Partner
514 74 113

Hi,
What about Incompatible Clients? here is list https://www.chromium.org/updates/same-site/incompatible-clients
how to deal with that in .htaccess file?
Thanks

If helpful then please Like and Accept Solution.
Email: suhagiyajivan1992@gmail.com
Skype: jivan.suhagiya
First kind of Checkout Reminder APP: https://apps.shopify.com/checkout-reminder
Jason27
Shopify Partner
82 1 29

Yeah this works, but breaks on safari...

 

Try this code in htaccess to fix:

 

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-2]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-2]|Macintosh; Intel Mac OS X.*Version\x2F1[0-2].*Safari)/i">
    Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</If>

 

Jason27
Shopify Partner
82 1 29

Code above wasn't working on my version of safari on 10.14, so I tweaked the regex to exclude all Safari, and now it works.

 

Doesnt add samesite to Safari and some other incompatible browsers, but adds to Chrome

 

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-2]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-2]|Macintosh; Intel Mac OS X.*Version\/.* Safari\/)/i">
    Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</If>

 

Jivan_Suhagiya
Shopify Partner
514 74 113

Hi @Jason27 
Great help!
I tried code you provided in my .htaccess file. When I put second code it's breaking returning error(please refer attachment) on latest chrome browser(not tested in other browser). Do you know why its happening?
I appreciate you help!
Thank you error.JPG

If helpful then please Like and Accept Solution.
Email: suhagiyajivan1992@gmail.com
Skype: jivan.suhagiya
First kind of Checkout Reminder APP: https://apps.shopify.com/checkout-reminder
Jason27
Shopify Partner
82 1 29

Hi, just use the first one I posted for now. I thought my tweak to the regex was working, but I need to look at that. The first one still doesn't work for safari 10.14.6, but does work on some other versions including iOS. Will take a look at fixing the modified version over the next week. We have until Feb 17 anyways.

syntax_error
New Member
2 0 0

Thank you !! saved my day trying to fix the issue for almost 2 days 

Jason27
Shopify Partner
82 1 29

This version includes the fix for safari v13 on osx 10.14

 

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-2]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-2]|Macintosh; Intel Mac OS X.*Version\x2F1[0-2].*Safari|Macintosh;.*Mac OS X 10_14.* AppleWebKit.*Version\x2F1[0-3].*Safari)/i">
    Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</If>
sumankc55
Shopify Partner
3 0 1

What can be done for the app which do not have the .htaccess file? can we create it? 
Thanks in advance.

mcfc4heatons
New Member
1 0 0

I know some newer versions of iOS/Safari block third party cookies by default anyway - but does this solution though mean older iOS devices would still be susceptible to CSRF attacks if relying on this solution alone ?

Jason27
Shopify Partner
82 1 29

Not sure if preventing attacks is my priority right now. Compatibility wise, seems to work afaik.

johndevz
New Member
5 0 0

I think this is not working on latest safari version any updates on how to fix it?

All my settings are direct from an ajax but as per debugging my session is not readable through ajax call.

Jason27
Shopify Partner
82 1 29

Try this in your htaccess file and let us know if its working right:

 

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-2]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-2]|Macintosh; Intel Mac OS X.*Version\x2F1[0-3].*Safari|Macintosh;.*Mac OS X 10_14.* AppleWebKit.*Version\x2F1[0-3].*Safari)/i">
    Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</If>

 cheers

johndevz
New Member
5 0 0

I tried the code above but it's not working on the latest Safari browser. 😞

Jason27
Shopify Partner
82 1 29

Whats the user-agent string for the latest safari browser?

johndevz
New Member
5 0 0

 


@Jason27 wrote:

Whats the user-agent string for the latest safari browser?


Mozilla/5.0 (iPhone; CPU iPhone OS 13_3_1 like Mac OS X) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/13.0.5 Mobile/15E148 Safari/604.1

using my safari browser mobile.

Jason27
Shopify Partner
82 1 29

Ok you were referring to IOS, so try this instead:

 

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-3]|iPad; CPU OS 1[0-2]|iPod touch; CPU iPhone OS 1[0-3]|Macintosh; Intel Mac OS X.*Version\x2F1[0-3].*Safari|Macintosh;.*Mac OS X 10_14.* AppleWebKit.*Version\x2F1[0-3].*Safari)/i">
    Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</If>

Let us know if this works

Royal2
Shopify Partner
3 0 0

Can you give a solution for this agent string?

Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/14.0.2 Safari/605.1.15

Jason27
Shopify Partner
82 1 29

I think Safari fixed this issue in later versions. Are you experiencing a samesite issue with the latest safari?