Safari not sending cookie even after setting SameSite=None; Secure

Question

Our application uses cookies to remember user login. Every auth API call we make, the browser attaches server-set HTTPonly cookie with the API request and gets authenticated

Answer 1

Versions of Safari on MacOS 10.14 and all browsers on iOS 12 are affected by this bug which means that SameSite=None is erroneously treated as SameSite=Strict, e.g. the most restrictive setting.

I've published some guidance in SameSite cookie recipes on either:

• Using two sets of cookies to account for browsers that support SameSite=None; Secure and those that don't.
• Sniffing the user agent for incompatible browsers and not serving SameSite=None for those requests.