One of our product communicate between two web app hosted at URL say – my_first_site.com and my_second_site.com.
Request originate from my_first_site.com which send some data to my_second_site.com, which we validate and create user session on my_second_site.com and open my_second_site.com in a new window.
Things working fine till yesterday when suddenly get blocker where many of the user using chrome are unable to reach my_second_site.com as it is showing Invalid session error.
The callback which check valid session as below:
def validate_session
if session[:user_id].blank? || (session[:user_id] != REDIS.get("#{session[:ssoId]}"))
session[:error_type] = 'invalid_session' if session[:error_type].blank?
redirect_to session_expired_path
end
end
On checking the log, the session user_id is never getting set, although it is passing all validations.
Actually the log show that the value never get set.
The problem here is that recent chrome update has by default disabled the support for setting cookies between different site, by enabling SameSite cookie policy.
So to fix the issue we have to disable the SameSite cookies restrictions.
Follow the below steps:
We need to enable the cross site cookies Support by following below steps :
- Open a new tab on chrome and type chrome://flags (Refer the screen shot below)
- Search for SameSite (Refer the screen shot below)
- disable the below SameSite Parameters shown in screen shot below
- Click on Relaunch button
Note: This is a temporary fix on chrome end. We have to see what we can do at code level to make it work without user intervention to chrome settings.
codedecoder 