A cookie associated with a cross-site…

Hi @mennobouma !

Thank you so much for that. I was able to diagnose the issue, and find a way to implement a fix ; it will be deployed soon in the next version, as soon as it’s fully tested.

I am convinced it will solve problems encountered by other users, because I did receive feedback regarding login sync issues, without more relevant information.
Both login and logout rely on manipulating the LOGGED_IN_COOKIE ('wordpress_logged_in_' . COOKIEHASH) ; the WordPress function wp_set_auth_cookie originally used doesn’t allow to change the SameSite attribute, and the way to set this attribute depends on the PHP version running the site.
Moreover, I also noticed that setting a cross-domain cookie with a script tag wouldn’t work anymore, even with SameSite set properly.

The fix therefore involves calling a newly written function wprus_set_auth_cookie, and using a hidden iframe instead of a script tag for async actions.

Some warning notices will still be present after I deployed the next version, but these wouldn’t concern the LOGGED_IN_COOKIE: for example, the Cloudflare __cfduid cookie, the WordPress test cookie wordpress_test_cookie, and possibly others if set by other plugins would be affected in the iframe, but that would be of no consequence for the login synchronization.

It is also very important to note that, even if it’s already encouraged anyway, async user actions like Login and Logout will only work on HTTPS-enabled websites from now on, and there would be no way to circumvent that because this is now a browser restriction.

I’ll mark this topic as resolved as soon as the next version has been deployed.

Marking the support request as resolved:

• Using dedicated functions to handle login and logout cookies
• Using an iframe tag instead of a script tag
• Tested with 2 sites on different domains, with latest version of Chrome, both directions

Hello Alexandre,

Thanks for your fast response and update!

When i login one of the sites the other site is still logged out. This is from the console:

A cookie associated with a cross-site resource at <URL> was set without the SameSite attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at <URL> and <URL>.
(index):525 Cross-Origin Read Blocking (CORB) blocked cross-origin response https://www.othersite.nl/login/?wprusdata=kLCK_8Yhq36LYsjDy34534poHSMarYkkE715Ju0b_5Kfa8jd7kClOWAtFCR4BY37482hEjX4JgtbapmPOkeBtXFik4n3y_rDmOcBSQnMlyAjhdnP9PYjxsoubxMnHo5ynbN2FWmxv0ZX7M2NPbwW7YolK1PG%2Bu6GfdOqfUfXUb6ssTw%3D&token with MIME type text/html. See https://www.chromestatus.com/feature/5629709824032768 for more details.

Any idea how to solve this?

Thanks,
Menno

Hello Alexandre,

I think i replied to fast! It looks like it’s working now!

Thank you :D.

Menno

Hi @mennobouma,

I was typing up an answer that could be useful to other users curious about such warnings, so I’ll leave the gist of it here.
This warning will appear for cookies set by WordPress other than the one used for authentication.
In the Chrome console, under the “Issues” tab, the wordpress_logged_in_[hash] cookie is not in the list of cookies being blocked with the updated version (1.2.4). Other cookies being blocked such as wordpress_test_cookie is of no consequence for the cross-domain login operation, because once the user actually loads a page of the remote website, these cookies will be set properly.

Thank you for your feedback, and feel free to leave a review!