Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Bell is not compatible with Hapi 15 due to same-site: strict for cookie #264

ldesplat opened this issue Sep 15, 2016 · 1 comment


Copy link

@ldesplat ldesplat commented Sep 15, 2016

Bell is currently not compatible with Hapi 15. You should stick with Hapi 14 until we set the same-site attribute for the cookie that Bell has to set to either be turned off or set to lax. I am experimenting with different providers to determine how they do the redirect back, but until then hapi 15 will not work.

@ldesplat ldesplat added the bug label Sep 15, 2016
@ldesplat ldesplat added this to the 9.0.0 milestone Sep 15, 2016

This comment has been minimized.

Copy link
Contributor Author

@ldesplat ldesplat commented Sep 17, 2016

So the results of my investigation are as follows: I am using a Mac and do not have access to a Window machine. Tested with Firefox, Safari, Chrome

If we set the state cookie to sameSite: Strict, then when we get redirected back from all the providers I've tried, the browser does not send us the cookie as expected, but then, Bell has a mechanism (originally developed for Safari) to do a refresh when that is the case of the page. So, in this case the request would come from our site and in all browsers except one, that was the case and we were logged in.

That browser is chrome UNLESS you try in incognito mode then it does the right thing.

If you set it to sameSite: Lax, then all the providers I've tried do not do javascript redirect, so on the first try we get the cookie sent to us and it's all good. Except with Chrome. Now, chrome will work in this mode in Incognito mode only but no matter what you do, it will not work in non-incognito mode even when we execute our own refresh.

So, the only way to fix this properly is to set sameSite: false ... I wanted to include some interesting things in 9.0.0 but if I am right, I should release a new version asap to make it work with Hapi 15 properly in Chrome.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
None yet
1 participant
You can’t perform that action at this time.