Cross-site DHIS2 application cookies will soon stop working in modern browsers!

As of mid-July 2020, the Chrome (and Chromium) stable release channel has started to disable cross-site cookies by default. Mozilla Firefox has pushed this change to their beta channel and will likely release it to the stable channel soon.

This change affects any DHIS2 application running on a different domain than the DHIS2 server instance, including applications running on localhost in development. It does not affect cross-site API requests which use Basic or OAuth authentication headers, as those do not rely on cookies for authentication.


The vast majority of DHIS2 users and implementers will not be affected by this issue. DHIS2 applications which are directly installed into a DHIS2 instance (either core applications or custom ones installed through the App Management app) will continue to work without any interruptions.

However, applications running on another server under a different domain will stop functioning in browsers which implement this new security feature. The most common place this occurs is during application development when your local application (running at http://localhost:3000 , for instance) attempts to connect and authenticate with a remote DHIS2 server (running at https://dhis2.myorg.com , for instance). When this happens, authentication will fail and the developer will see repeated HTTP 401 ( Error: Unauthorized ) errors in the developer console. A warning will also appear, at least in Chrome, similar to the following (it also appears in older versions which do not yet implement the feature):

A cookie associated with a cross-site resource at http://dhis2.org/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure . You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

In very rare cases, a production DHIS2 application might be running on a different domain than the DHIS2 server. If this issue is affecting a production application in your environment please let us know as soon as possible by opening a Jira ticket!


More details about SameSite Cookies and the available workarounds for application development can be found here:

Hello @austin,

I am newbie to DHIS2 and just started to learn WEP App development. So faced with the CORS problem. Could you provide TOMCAT 9 config for localhost DHIS2 server?
I have tried to put following config into Tomcat 9.0\webapps\dhis\WEB-INF\web.xml

<filter>
    <filter-name>CorsFilter</filter-name>
    <filter-class>org.apache.catalina.filters.CorsFilter</filter-class>
    <init-param>
        <param-name>cors.allowed.origins</param-name>
        <param-value>http://localhost/*, https://localhost/*, http://localhost:3000, http://localhost:3000/</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.methods</param-name>
        <param-value>GET,POST,PUT,DELETE,HEAD,OPTIONS</param-value>
    </init-param>
    <init-param>
        <param-name>cors.allowed.headers</param-name>
        <param-value>Content-Type,X-Requested-With,Accept,Authorization,Origin,Access-Control-Request-Method,Access-Control-Request-Headers</param-value>
    </init-param>
    <init-param>
        <param-name>cors.exposed.headers</param-name>
        <param-value>Access-Control-Allow-Origin,Access-Control-Allow-Credentials</param-value>
    </init-param>
</filter>
<filter-mapping>
    <filter-name>CorsFilter</filter-name>
    <url-pattern> /* </url-pattern>
</filter-mapping>

but still have no effect.

Thank you.
Regards, Ulanbek

@Ulanbek You don’t need to edit anything on tomcat config to add CORS. Instead you have to add localhost:8081 for example in the CORS page in the Settings App.

2 Likes

@SferaDev thank you for your help.
I just followed your suggestion and now it works. Thank you again

1 Like