Problem with Hypothes.is cookies

[Joshua Halpern]

Hi,

LibreTexts has set up a system where a link to Hypothesis can be inserted into every page with a box at the bottom of the page. For example

https://chem.libretexts.org/Sandboxes/jhalpern/Test/Test/Hypothes.is_Test 

If you login you get the nastygram

"Sorry, but your session has expired. Please go back and try again. " 

However it is possible to login from another link on the page. Our webmaster thinks that it is something about a cookie you are passing.

Best

Josh Halpern

jha...@libretexts.org

[Robert Knight]

Hello,

I believe this is caused by the way that https://hypothes.is configures cookies with the `SameSite` attribute set to `Lax` - which is the recommended default for this attribute. See https://web.dev/samesite-cookie-recipes/. As a result, `POST` requests made from iframes in a third-party website will not include cookies, such as the Login request.

The Hypothesis client avoids this issue by making login happen in a popup, but we haven't done that for https://hypothes.is/search yet because that page is not currently designed to be embedded. For the moment you will need to create an external link which opens in a top-level tab, unless you are OK with the user being anonymous.

Kind Regards,

Robert.