userStatus.json?logUserOut=true not working on Chrome (same site cookies issue?)

[pako1337]

Hey, I'm trying to implement logging user out from orcid when they log out of our system. I'm trying to call userStatus.json?logUserOut=true and it is working fine in Firefox (via JSONP request), but not in Chrome (Chrome v90). The obvious difference in requests I can see is - FF is sending more cookies (JSessionId, xsrf-token) while Chrome skips those. There's no Lax/None setting for same site in Chrome which I think might be the reason?

Steps to reproduce: log into sandbox.orcid.org go to http://orcid.github.io/test/log-user-out-jsonp.html -> should log user out, but does not on chrome (it does on FF)

[pako1337]

Correction: seems like that only affects sandbox.orcid.org, not the main site. On main site - JsessionId etc. are setting sameSite value to None which makes everything work fine. I would appreciate fixing sandbox though, since that's the site we test with and it would make sense for both of them to work the same.

[Camelia-Orcid]

Hi Jarek,

I am Camelia, developer at ORCID. I tried to reproduce the issue you have in sandbox and I am not able to. I was testing in Chrome ( Version 90.0.4430.212 (Official Build) (x86_64) in MacOS Catalina) . Logging into sandbox and then hitting the url you provided or directly https://sandbox.orcid.org/userStatus.json?logUserOut=true logs me out. Can you please provide more details like the version of Chrome, OS where you are experiencing the issue and if you have any security settings for the Chrome that can help me reproduce it on our end.

Thanks.