Problem with Hypothes.is cookies

17 views
Skip to first unread message

Joshua Halpern

unread,
Aug 13, 2020, 9:54:38 PM8/13/20
to dev
Hi,

LibreTexts has set up a system where a link to Hypothesis can be inserted into every page with a box at the bottom of the page. For example


If you login you get the nastygram
"Sorry, but your session has expired. Please go back and try again. " 

However it is possible to login from another link on the page. Our webmaster thinks that it is something about a cookie you are passing.

Best
Josh Halpern



Robert Knight

unread,
Aug 18, 2020, 10:21:40 AM8/18/20
to dev, Joshua Halpern
Hello,

I believe this is caused by the way that https://hypothes.is configures cookies with the `SameSite` attribute set to `Lax` - which is the recommended default for this attribute. See https://web.dev/samesite-cookie-recipes/. As a result, `POST` requests made from iframes in a third-party website will not include cookies, such as the Login request.

The Hypothesis client avoids this issue by making login happen in a popup, but we haven't done that for https://hypothes.is/search yet because that page is not currently designed to be embedded. For the moment you will need to create an external link which opens in a top-level tab, unless you are OK with the user being anonymous.

Kind Regards,
Robert.

Reply all
Reply to author
Forward
0 new messages