The dev tools troubleshooting and the netlog_analyzer was super helpful. Now I can debug my cookie related nightmares without tearing the remainder of my hair. Thanks Rowan for this insightful lesson.
Mmmm cookies. Thanks for all the Devtools info it is always helpful to learn more about debugging issues like this. I have never dealt with giant websites so it has always been fairly easy, but this is great to know. I didn't think I would learn much, but I have to say I definitely learned a few things so thank you.
Thx for this in depth look on the changes and debugging. However, whenever I see videos/tutorials on SameSite I miss information about all the edge cases that are not really irrelevant. Like how does samesite=strict affect top level navigations caused by opening a new tab, manually typing a URL, clicking a bookmark, a shortcut on the homescreen, a link inside a native app, a link inside an apps webview, a custom chrome tab, a chrome extension, etc... What about cascading redirects away and back to the site? That's important when dealing with federated logins (SAML, OAuth, ...). So many questions 🙈
At 6:47 "So that blog hosting example, if you set up a SameSite equals Strict cookie, pretty much the same as your session, but you treat it like a token for write permission and validate that it's included on that form submission, then you can be pretty sure it came from the user submitting the form actually on your site." Can someone please help me understand the " but you treat it like a token for write permission and validate that it's included on that form submission" part.
Chrome sucks. I just got bit by the same-site= lax "fix". This was a horrible move. You have no idea the amount of work this has caused and at the worst possible time...FML
Rowan is extremely clear and well-paced. Well done.
The dev tools troubleshooting and the netlog_analyzer was super helpful. Now I can debug my cookie related nightmares without tearing the remainder of my hair. Thanks Rowan for this insightful lesson.
Awesome! Just what I was looking for. So well explained, clear and strict to the point! Thank you!
Mmmm cookies. Thanks for all the Devtools info it is always helpful to learn more about debugging issues like this. I have never dealt with giant websites so it has always been fairly easy, but this is great to know. I didn't think I would learn much, but I have to say I definitely learned a few things so thank you.
I'll sticky note this cookie recipe on my fridge.
Thx for this in depth look on the changes and debugging. However, whenever I see videos/tutorials on SameSite I miss information about all the edge cases that are not really irrelevant. Like how does samesite=strict affect top level navigations caused by opening a new tab, manually typing a URL, clicking a bookmark, a shortcut on the homescreen, a link inside a native app, a link inside an apps webview, a custom chrome tab, a chrome extension, etc... What about cascading redirects away and back to the site? That's important when dealing with federated logins (SAML, OAuth, ...). So many questions 🙈
I appreciate there's a lot of scope and nuance out there. I've gone into some detail on the POST callback pattern here: goo.gle/samesite-3d-secure
At 6:47 "So that blog hosting example, if you set up a SameSite equals Strict cookie, pretty much the same as your session, but you treat it like a token for write permission and validate that it's included on that form submission, then you can be pretty sure it came from the user submitting the form actually on your site."
Can someone please help me understand the " but you treat it like a token for write permission and validate that it's included on that form submission" part.
At some point someone will search for "cookie recipes" and stumble upon this video.
Very interesting, thanks
🌈 loved it, nicee recipe 💛💛💛
Two bits.
Chrome sucks. I just got bit by the same-site= lax "fix". This was a horrible move. You have no idea the amount of work this has caused and at the worst possible time...FML
This is an effort by all major browsers to move to a more secure default for users. Deal with it.
Also you had like 6 months to fix it