I'm trying to set an HTTPOnly token sent from a backend server written in golang into my browser. Before testing on my application I used postman to ensure that my API was working as expected and, like I was planning, the app was saving my refresh token in an HTTPOnly cookie.
However, after performing the login, if I check in the application section of Chrome dev tools I can't find my cookie. By searching online I found that this might be an issue with the SameSite parameter, but setting it to Lax didn't solve my problem.
What I have to do to ensure that my token is stored by the browser?
Update: By checking the network of the browser I got this error
This Set-Cookie was blocked because it has the "SameSite=Lax" attribute
but came from a cross-site response which was not the response to a
top-level navigation.
There is a possibility to allow chrome to store SameSite="None" with secure=false or something that allows me to test during development?
//NOTICE: I DON'T WANT TO DISABLE CORS
Update 2:
After a lot of research, I found this shortcut to allow chrome to save cookies with SameSite=None even if secure=false.
Go to chrome://flags/
Search for Cookies without SameSite must be secure
Disable and restart your browser.
This will allow you to accept unsecure cookies with None same site policy.
Notice that this approach might open yourself to vulnerabilities if you are using app not properly secured, so it's suggested to use it only during development and re-activate it after testing your application.
I didn't put this part on the answer section since, as I said, it's not a secure solution and maybe exists a better approach to achieve this result.
question from:
https://stackoverflow.com/questions/66055788/chrome-isnt-saving-cookies-in-development 与恶龙缠斗过久,自身亦成为恶龙;凝视深渊过久,深渊将回以凝视…
