fix: use SameSite=Lax for session cookies to fix iOS Chrome sessions#24
Merged
pkmaster21 merged 1 commit intomainfrom Apr 16, 2026
Merged
fix: use SameSite=Lax for session cookies to fix iOS Chrome sessions#24pkmaster21 merged 1 commit intomainfrom
pkmaster21 merged 1 commit intomainfrom
Conversation
…sions
SameSite=None was causing iOS WebKit (used by all browsers on iPhone,
including Chrome) to drop session cookies due to ITP restrictions, even
for first-party cookies set via fetch() responses. Since all API calls
now go through the same-origin Cloudflare Pages Function proxy, there
is no need for SameSite=None — SameSite=Lax works correctly for
same-site requests and is fully trusted by iOS WebKit.
Also fixes the Pages Function proxy to use getAll('set-cookie') instead
of forEach() when forwarding Set-Cookie headers, preventing the
Cloudflare Workers runtime from collapsing multiple cookies into a
single comma-joined string.
Deploying tabby with
|
| Latest commit: |
de71bbe
|
| Status: | ✅ Deploy successful! |
| Preview URL: | https://ae83300a.tabby.pages.dev |
| Branch Preview URL: | https://fix-ios-samesite-cookie.tabby.pages.dev |
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
1 participant
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
Users creating or joining groups on Chrome (or any browser) on iPhone were immediately seeing "Session expired. Open the group link again to rejoin." The previous fix — proxying API calls through a Cloudflare Pages Function so cookies would be same-origin — was deployed but didn't fully solve the issue.
The remaining problem was the
SameSite=Nonecookie attribute. iOS WebKit (the rendering engine used by every browser on iPhone, including Chrome) applies ITP (Intelligent Tracking Prevention) restrictions toSameSite=Nonecookies, including first-party cookies set viafetch()responses. The browser would not store the cookie, so the very next API request after group creation came back 401.Changes
Cookie SameSite attribute (
auth.ts,groups.ts,members.ts): Changed all session cookiesameSitefromprocess.env['NODE_ENV'] === 'prod' ? 'none' : 'lax'to a constant'lax'. Since all API requests now go through the same-origin Pages Function proxy,SameSite=Laxis correct and sufficient — same-site requests include the cookie regardless of SameSite value.Pages Function proxy (
functions/api/[[path]].ts): FixedSet-Cookieforwarding to skipset-cookiein theforEachloop and instead use Cloudflare'sheaders.getAll('set-cookie')extension. The Cloudflare WorkersHeaders.forEach()implementation collapses multipleSet-Cookieentries into a single comma-joined string, which breaks cookie parsing.getAll()preserves them as individual entries.