Chrome Cross-Site Cookie

NyanCode ID2 months ago

Hi, thanks for great app and community. I have some issues with cookie due chrome security update. Here the message look like on console devtools.

A cookie associated with a cross-site resource at http://xxx.xxx.xxx.xxx/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`

Due chrome show this cookie warning message, i think it traccar-server should have this configuration option for cross-site cookie. we are helpless using WebSocket API due cookie cross-site warning because traccar-server not send properly set-cookie header (without "SameSite"), so chrome default set them as "SameSite=Lax". So we need configuration options on traccar.xml to set this cookie options to none, lax, or secure.

I am working on localhost and the traccar server running on VPS, so that's why chrome mark it as cross-site and i can't use websocket API. I call "api/session" first and then connect to websocket to make sure response header set-session work, it just work before chrome update their security. Now when i call websocket api we are missing session on request header so websocket immediately finished and return failed: Error during WebSocket handshake: Unexpected response code: 503. It's happend only when it's running on localhost, and work perfectly on production server with same-site IP/Domain.

how do you think about this issues?

Anton Tananaev2 months ago

You might need to modify the code to include required headers.

NyanCode ID2 months ago

which file of code should i modify?
i am not familiar with java yet so i need your suggest, please

NyanCode ID2 months ago

And why traccar-server socket api using session instance of using basic authentication or token?

Anthony Nardelli2 months ago

I'm facing the same problem, I'm not a java expert but I'm willing to modify the code if necessary, I just need some light in my path and if someone in this forum can tell which is the file that should be modified would be more than grateful

JCardus2 months ago

Hi, I submitted a PR for this.

Anton Tananaeva month ago

In the next release it will be possible to configure SameSite attribute like this:

<entry key='web.sameSiteCookie'>None</entry>
NyanCode IDa month ago

@Anton that was we're looking for. that's cool. thanks to make it happend. I appreciate you and all contributors for their hard work.

FYI: just for now, to make it work with chrome, i have to disabled feature SameSite for default cookie on chrome://flags/#same-site-by-default-cookies. Cause it's needed only when i am working on local development env, so it's a just temporary solution for now.