Edit online

Login and Request Issues on HTTP in Google Chrome

Problem

When running Oxygen Feedback Enterprise over HTTP, users may encounter login issues or errors on actions such as submitting forms and making changes (e.g., POST or PUT requests) if accessing the server from Google Chrome. This is due to Chrome's strict handling of cookies with the SameSite=None attribute when the Secure attribute is not also present.

Cause

Oxygen Feedback Enterprise uses HTTP cookies to authenticate client requests and maintain session information, including CSRF (Cross-Site Request Forgery) token validation for enhanced security. The session cookie (JSESSIONID) stores the user's session ID, which is crucial for both login authentication and CSRF token validation. However, by default, Oxygen Feedback Enterprise sets the SameSite=None attribute on all cookies, including JSESSIONID, regardless of whether the server runs on HTTP or HTTPS.

In Chrome, any cookie with SameSite=None must also have the Secure attribute (meaning it can only be sent over HTTPS). When Oxygen Feedback Enterprise is accessed over HTTP, Chrome rejects the JSESSIONID cookie due to the missing Secure attribute, causing issues in:

  • Login - The session cookie is blocked, preventing proper authentication.
  • POST and PUT Requests - Any request that requires CSRF token validation fails because the session is invalid, leading to errors.

Solution

To avoid these issues when running Oxygen Feedback Enterprise on HTTP in Chrome, you can configure the application to omit the SameSite=None attribute on cookies:

  1. Open the {oxygen-feedback-home}/config/feedback-application.properties file.
  2. Add or update the following property: 
    feedback.cookie.samesite.none=false
  3. Restart the Oxygen Feedback Enterprise server after saving the configuration changes.

Additional Troubleshooting

If the issue persists after configuring feedback.cookie.samesite.none=false, it may be due to a conflict with another JSESSIONID cookie set by a different application on the same host but over HTTPS (with the Secure attribute). Chrome will block non-secure cookies from overwriting a secure cookie with the same name.

To resolve this:

  • Clear cookies for the domain:
    1. In Chrome, go to chrome://settings.
    2. Click Privacy and security > Third-party cookies.
    3. Click See all site data and permissions.
    4. At the top-right, search for the website's name.
    5. To the right of the site, click Delete.
    6. To confirm, click Delete.
  • Run Oxygen Feedback over HTTPS: For a permanent solution and to align with security best practices, consider running Oxygen Feedback Enterprise over HTTPS. This allows the SameSite=None and Secure attributes to coexist on cookies, ensuring compatibility with Chrome's security policies.