How do I allow for authentication of a webapp on browsers that block third party cookies?-CodePudding

I am creating a webapp, and using rails sessions with cookies to authenticate a user. On a Chrome desktop browser, it has worked with no issue. However, I recently deployed the applications (a rails api and a separate front end react application) to Heroku, and I have been having issues staying logged in on the desktop Safari, mobile Safari, and mobile Chrome.

I did some digging, and I believe my cookies are set up fine, but the "Prevent cross-site tracking" setting is checked by default in Safari. After unchecking this, it worked on all Safari versions. Since this is not a viable solution if I want real users on my platform, how would I solve this issue? Is it possible to fix by altering my current cookie configuration, or will I have to do something more drastic like implementing some JWT-like authentication? I am rather new and not well versed in authentication methods, so some specific direction would be very helpful. I can post code snippets if needed, but I have a pretty typical rails cookie setup going on. Thanks.

CodePudding user response：

Indeed, you can have a look at solutions that involves persisted tokens (based on JWT, oauth flows, …). This will always work, regardless of the "third-party cookies" setup of your client browsers.

But, I suggest you to have a look first at your API and how is your client interacting with your backend. In most basic app setups, you can use first party cookies, which are never blocked by browsers. Is this wanted that your application is relying on third party cookies? If the answer is yes (ex: because your API is served from a completely different domain than your app, then, go to the first option. Otherwise, try to check if you can't serve the API from the same domain as the app, if you want to keep using cookies.

CodePudding user response：

I would say it's best to stay with session cookies, and to enable this you need to make sure that your api and frontend are served from the same domain - these can be sibling domains, e.g. www.example.com and api.example.com.

You can go with JWTs, but it will solve one problem and crate many others. E.g. JWTs handled in a browser are considered less secure than session cookies.