SameSite Cookie Attribute

milan.timotijevic · October 29, 2019, 10:21am

Since recently, Chrome has started throwing warnings for keycloak-specific cookies. It is saying they are missing the SameSite=None attribute and that future versions of Chrome will no longer be sending cookies that are missing this attribute.

To elaborate: browsers today have an implicit value for SameSite (if it is not provided), however, this will change at some point.

Is there an easy way to add this property to cookies? Or is there a plan to include such option in a future release?

Thanks!

stianst · October 31, 2019, 2:44pm

Hi, please open a JIRA to request this to be added to Keycloak and we’ll look into it.

jonkoops · November 6, 2019, 4:10pm

Looks like this has been added to Keycloak Gatekeeper but not to Keycloak itself. See: https://github.com/keycloak/keycloak-gatekeeper/pull/482/files

ben · November 18, 2019, 9:47am

@milan.timotijevic Have you opened an JIRA ticket for this request already?

ben · November 19, 2019, 11:21am

I’ve opened an issue in Keycloak JIRA: https://issues.jboss.org/browse/KEYCLOAK-12125

Topic		Replies	Views
Keycloak 9.0.0 - Cookies are not being sent with SameSite=None by the server Configuring the server admin-console , authentication	5	8688	August 10, 2020
In Angular 18, how can I solve this: Cookie “KEYCLOAK_3P_COOKIE” does not have a proper “SameSite” attribute value...? Getting advice	0	227	May 26, 2024
Cookie Security Configuring the server	0	1331	March 24, 2021
Keycloak 8.0.2 migration problem vs 'SameSite by default cookie' in Chrome Getting advice	3	2661	March 1, 2020
Firefox 92 and admin console: "Cookie will be soon rejected" Configuring the server admin-console	0	876	September 29, 2021

SameSite Cookie Attribute

Related Topics