How to fix "This Set-Cookie was blocked due to user preferences" in Chrome? (Stackoverflow SSO Login / Ajax CORS request)

Question

It seems that the recent update of Chrome to version 83.0.4103.116 brought a change to the Cookie handling.

I am providing a single-sign-on for my users that signs them in into several websites. Similar to Stackoverflow I am doing an AJAX request with Jquery:

crossDomain: true, 
xhrFields: { withCredentials: true },

And in PHP I allow the domain:

// needed for cross-domain request
header('Access-Control-Allow-Origin: https://www.example.com');
header('Access-Control-Allow-Credentials: true');

However, now it does not work anymore.

In the dev console I found a new warning with the tooltip:

"This Set-Cookie was blocked due to user preferences"

How to fix this?

Update:

I just see that the Single-Sign-On of Stackoverflow is not working anymore either!

PS: A related question suggest to tell your users to change the Chrome settings, from my POV, I'd like to avoid this. Just imagine SO informing millions of users to enable the Cookies to do a single-sign-on...

Answer 1

If you can only replicate this in Incognito and Pierre Pretorius's answer didn't help, you are probably being hit by a change in Chrome 83 where third party cookies are blocked by default in Incognito mode. See https://angel.co/today/stories/chrome-83-arrives-with-redesigned-security-settings-third-party-cookies-blocked-in-incognito-21796

I don't think you can do much to change this, and Google intend to making this the default behaviour in the future: https://www.theverge.com/2020/1/14/21064698/google-third-party-cookies-chrome-two-years-privacy-safari-firefox

EDIT: Google will not implement this until at least 2023 https://blog.google/products/chrome/updated-timeline-privacy-sandbox-milestones/

Answer 2

The site that is passing the set-cookie HTTP header also needs to pass the SameSite as None and also Secure, else the cookie is not saved and is ignored.

Set-Cookie: qa_session=...; SameSite=None; Secure

Before you do, please read the security implications: https://blog.heroku.com/chrome-changes-samesite-cookie

PHP code example (source):

function setcookieSameSite($name, $value, $expire, $path, $domain, $secure, $httponly, $samesite="None")
{
  if (PHP_VERSION_ID < 70300) {
        setcookie($name, $value, $expire, "$path; samesite=$samesite", $domain, $secure, $httponly);
  }
  else {
      setcookie($name, $value, [
          'expires' => $expire,
          'path' => $path,
          'domain' => $domain,
          'samesite' => $samesite,
          'secure' => $secure,
          'httponly' => $httponly,
      ]);
   }
}

Answer 3

Select the first option in "Cookies and other site data" in Chrome settings which is "Allow all Cookies", It worked for me.

Check this Image

Answer 4

This is due to a major change in cookie handling to help mitigate CSRF. Following this draft: https://datatracker.ietf.org/doc/html/draft-west-first-party-cookies-07

The workarounds above won't work (the function setcookieSameSite) because you need to set the samesite flag on the session identifier (I can see the PHPSESSID has this message too ie "This Set-Cookie was blocked due to user preferences"). Or maybe by trying on session_set_cookie_params path? (untested).

In peculiar for PHP 5.6 branch, you need to set the session's cookie attribute.

btw It seems the qa_session cookie in your screenshot is a random cookie, for this one it is ok to use @Pierre-Pretorius answer, it will work.

for PHP 5.6.40, see my other answer here: https://stackoverflow.com/a/64960472/1641763

Answer 5

This happens when you might have "Block third-party cookies" enabled in the browser. You can check this in:

Settings ? Site Settings ? Cookies and site data ? Block third-party cookies

or Also available via:

chrome://settings/content/cookies

Chnage this setting to "Allow all cookies"