The Issue
If your Live App users access an embedded Knack app, you may be experiencing an issue preventing users from logging in. This is due to a security change in major browsers (like Chrome and Safari) that changes how they handle cross-site cookies.
The Solution
In order to address this immediately and continue supporting a wide range of use cases, we’re implementing two different login approaches.
An application will now be able to authenticate embedded app sessions with cookies or with tokens. Each solution has caveats, so it’s important to understand the differences.
Here’s a brief comparison between the two solutions. More details are available for each solution section.
|
Feature |
Cookies |
Tokens |
|---|---|---|
|
Popup window |
✅ |
❌ |
|
White-labeling |
❌ |
✅ |
|
Session Persistence |
✅ |
❌ |
|
Remember Me |
✅ |
❌ |
|
SSO |
❌ |
❌ |
Choosing a solution
You can choose your authentication solution under the Security tab of your app settings.
More about cookie sessions
In order to continue supporting sessions with cookies, live app users will be required to validate their session through a popup window.
When viewing an embedded app that uses cookie sessions, we now display a single Login button instead of showing the usual login form.
Clicking on the Login button will open a new browser window and display the standard Knack login form.
The popup window must display the knack URL in order for it to work, so white-labeling is currently not available for this solution.
If the user already has a valid session from being previously logged in, the browser window will show a single Validate your session button. This session validation will need to be completed any time a new browser session occurs. The button must be clicked by the user to allow the embedded application access to the cookie due to browser restrictions.
Completing the login process will close the browser window, and the app will load the authenticated page.
More about token sessions
This method will not use any cookies to authenticate live app users. Instead, the session validated through a token specific to the user that is re-generated every login. While token sessions don’t require a popup window to authenticate, they can’t be stored due to security concerns. This means that the session is lost on browser refresh and the user will need to re-authenticate.
Future Updates
We’d love to hear your feedback on both of these solutions as we continue to think about finding the right balance between user experience and security.