Information on the Cookies this App is using

[resistorsoftware]

Overview

With concern for this aspect of Shopify Apps:

https://github.com/Shopify/shopify_app/blob/main/lib/generators/shopify_app/install/templates/session_store.rb

We now see Shopify issue this console warning:

Cookie “_example_session” will soon be rejected because it is foreign and does not have the “Partitioned“ attribute.

Is this new feature of partioned attribute something we should be worried about now or is it a simple change coming?

[flavio-b]

AFAIK, since cookies have become so unreliable inside iframes, shopify_app has not used cookies for anything in a while, relying solely on the JWT set in the Authorization header, as a replacement for authentication cookie.

That being said, Rails still uses cookies to store things like flash. I've simply deleted the session_store.rb file from my app and everything still works, except flash messages.

Going forward, it looks like Chrome will allow iframe cookies to work as long as the Partitioned attribute is set. To be honest, this seems like the proper solution that browsers should have implemented a while ago in the first place: If you're going to block third-party cookies due to privacy concerns, at least give legit apps a simple, safe way to keep using cookies, which would in theory make session management simpler again.

Anyway, I don't think shopify_app will change to use cookies for authentication again, even if the Partitioned thing works. It looks like we're all in with JWTs. However, perhaps we can at least keep using cookies for flash messages etc, and for that you'll have to set the Partitioned attribute.

The latest version of Rack (3.0.x) (and therefore Rails) don't support easily adding this attribute yet, but it looks like Rack 3.1 will have this feature. That thread also mentions a temporary workaround.

[resistorsoftware]

Thanks for the update! I am not terribly worried about any impact here, but it was something my console flashed at me, and that got me wondering about impact.

[paulomarg]

Hey folks, thanks for raising this! As @flavio-b pointed out, right now we don't rely on cookies at all for authentication any more, since browsers have been making it harder to use cookies within iframes for a while now.

Right now we're not planning on going back to cookies for authentication, and we're working on some improvements for embedded apps which will rely solely on JWTs, which is a faster / easier solution when inside the iframe.

That being said, we should probably still use the Partitioned setting for the cookies to re-enable flash messages. We'll test this out but this error should not have any impact on authentication. I'll add this to our tracking.

[resistorsoftware]

So there are two obvious choices:

1. eliminate session_store.rb in the projects initializers or
2. add partioned to the cookie via Rack, something currently not a reliable thing, but coming soon

In either case, minor stuff going on you say, and nothing impactful to this project, more or less just house cleaning cleanup.