Get Ready for the Google Chrome Cookie Attribute Change

Google Chrome 80, scheduled to be released in February 2020, introduces a new default cookie attribute setting of SameSite=Lax. Previously, the SameSite cookie attribute defaulted to SameSite=None. Also new with Chrome 80, when SameSite is set to None, cookies must be tagged with the Secure attribute indicating that they require an encrypted HTTPS connection. Other browser vendors are expected to make similar changes soon.

To prepare for the changes, take the following actions:

Enable Enforce HTTPS

Starting with the B2C Commerce 20.1.1 Preview Release, we implemented changes to ensure that cookies behave as expected after the Chrome 80 release. You have to enable the global security preference Enforce HTTPS so that the server can mark cookies with the Secure attribute and specify SameSite=None. If Enforce HTTPS is not enabled, the server does not specify the SameSite attribute. In that case, the browser uses its own default SiteSame setting and might not send cookies in cross-site contexts. Depending on the significance of the cookie, not sending it can break critical site functionality.

To enable the global security preference Enforce HTTPS, in Business Manager, go to Administration > Global Preferences > Security. On the Access Restrictions tab, select Enforce HTTPS and click Apply.

Important:

You must enable the global security preference Enforce HTTPS. Enabling Enforce HTTPS as a site preference doesn’t enable the necessary functionality.

We recommend that you test enabling Enforce HTTPS on a non-production instance before implementing the change on a production instance. We also recommend that you wait until after the holiday shopping season to make the change on the production instance.

Test Client-Side Code

If you set cookies using custom client-side JavaScript, test to determine if your code requires adjustments to accommodate the Chrome 80 changes.

Test Cross-Site Scenarios

A cross-site scenario is when a user on your site uses a browser to send or retrieve content to or from a site with a different domain name. Common cross-site scenarios affected by the SameSite cookie attribute occur when:

To help with testing, you can simulate the upcoming Chrome 80 changes in current versions of Chrome by setting both of the following flags to Enabled:

For cookies that are less than two minutes old, with no SameSite attribute set, Chrome currently defaults to SameSite=None for POST cross-site requests. In Chrome 79, expect options to adjust the time or turn off this feature for testing. Refer to SameSite Updates for more information.

You can also test with the Firefox browser. In the about:config preferences, set both of the following preferences to true:

X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.