As of mid-July 2020, the Chrome (and Chromium) stable release channel has started to disable cross-site cookies by default. Mozilla Firefox has pushed this change to their beta channel and will likely release it to the stable channel soon.
This change affects any DHIS2 application running on a different domain than the DHIS2 server instance, including applications running on localhost in development. It does not affect cross-site API requests which use Basic or OAuth authentication headers, as those do not rely on cookies for authentication.
The vast majority of DHIS2 users and implementers will not be affected by this issue. DHIS2 applications which are directly installed into a DHIS2 instance (either core applications or custom ones installed through the App Management app) will continue to work without any interruptions.
However, applications running on another server under a different domain will stop functioning in browsers which implement this new security feature. The most common place this occurs is during application development when your local application (running at http://localhost:3000
, for instance) attempts to connect and authenticate with a remote DHIS2 server (running at https://dhis2.myorg.com
, for instance). When this happens, authentication will fail and the developer will see repeated HTTP 401 ( Error: Unauthorized
) errors in the developer console. A warning will also appear, at least in Chrome, similar to the following (it also appears in older versions which do not yet implement the feature):
A cookie associated with a cross-site resource at http://dhis2.org/ was set without the
SameSite
attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set withSameSite=None
andSecure
. You can review cookies in developer tools under Application>Storage>Cookies and see more details at Chrome Platform Status and Chrome Platform Status.
In very rare cases, a production DHIS2 application might be running on a different domain than the DHIS2 server. If this issue is affecting a production application in your environment please let us know as soon as possible by opening a Jira ticket!
More details about SameSite Cookies and the available workarounds for application development can be found here: