Chrome doesn't send cookies after redirect

This issue is caused by hapi-auth-cookie not dealing yet with isSameSite (new feature of Hapi). We can set it manually, eg.

const server = new Hapi.Server(
    connections: {
        state: {
            isSameSite: 'Lax'
        }
    }
);

But please consider that, by default you have 'Strict' option, and in many cases you may not want to change that value.


A standalone demo of this issue: https://gist.github.com/isaacs/8d957edab609b4d122811ee945fd92fd

It's a bug in Chrome.


A recent version of Chrome was displaying this warning in the console:

A cookie associated with a cross-site resource at was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure.

My server redirects a user to an authentication server if they didn't have a valid cookie. Upon authentication, the user would be redirected back to my server with a validation code. If the code was verified, the user would be redirected again into the website with a valid cookie.

I added the SameSite=Secure option to the cookie but Chrome ignored the cookie after a redirect from the authentication server. Removing that option fixed the problem, but the warning still appears.