Support Cookie SameSite Attribute Changes

Google Chrome 80 introduced a new default cookie attribute setting of SameSite=Lax. Previously, the SameSite cookie attribute defaulted to SameSite=None. Also new with Chrome 80, when SameSite is set to None, cookies must be tagged with the Secure attribute indicating that they require an encrypted HTTPS connection. Chrome 80 was released in February 2020. Google is gradually activating the changes for users who updated their browsers. Other browser vendors are expected to make similar changes.

To make sure your storefront works with the new cookie behavior, take the following actions:

Enable Enforce HTTPS

We have implemented changes to ensure that cookies behave as expected after new cookie settings are activated. You must enable the global security preference Enforce HTTPS so that the server can mark cookies with the Secure attribute and specify SameSite=None. If Enforce HTTPS is not enabled, the server does not specify the SameSite attribute. In that case, the browser uses its own default SiteSame setting and might not send cookies in cross-site contexts. Depending on the significance of the cookie, not sending it can break critical site functionality.

To enable the global security preference Enforce HTTPS, in Business Manager, go to Administration > Global Preferences > Security. On the Access Restrictions tab, select Enforce HTTPS and click Apply.

Important:

You must enable the global security preference Enforce HTTPS. Enabling Enforce HTTPS as a site preference doesn’t enable the necessary functionality. See Enforce HTTPS for more information about the effects of enabling Enforce HTTPS globally and per site.

We recommend that you test enabling Enforce HTTPS on a non-production instance before implementing the change on a production instance.

Test Client-Side Code

If you set cookies using custom client-side JavaScript, test to determine if your code requires adjustments to accommodate the cookie attribute changes.

Test Cross-Site Scenarios

A cross-site scenario is when a user on your site uses a browser to send or retrieve content to or from a site with a different domain name. Common cross-site scenarios affected by the SameSite cookie attribute occur when:

To help with testing, you can force the new cookie behavior in Chrome by setting both of the following flags to Enabled:

For cookies that are less than two minutes old, with no SameSite attribute set, Chrome defaults to SameSite=None for cross-site POST requests. You can turn off this feature by running Chrome from the command line with the flag --enable-features=SameSiteDefaultMethodRigorously. Refer to SameSite Updates for more information.

You can also test with the Firefox browser. In the about:config preferences, set both of the following preferences to true:

X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.