Support Cookie SameSite Attribute Changes

Many browser vendors, for example Google Chrome, have introduced a new default cookie attribute setting of SameSite=Lax. Previously, the SameSite cookie attribute defaulted to SameSite=None. When SameSite is set to None, cookies must be tagged with the Secure attribute indicating that they require an encrypted HTTPS connection.

To make sure your storefront works with the new cookie behavior, take the following actions:

Enable Enforce HTTPS

We have implemented changes to ensure that cookies behave as expected after new cookie settings are activated. You must enable the global security preference Enforce HTTPS so that the server can mark cookies with the Secure attribute and specify SameSite=None. If Enforce HTTPS is not enabled, the server does not specify the SameSite attribute. In that case, the browser uses its own default SiteSame setting and might not send cookies in cross-site contexts. Depending on the significance of the cookie, not sending it can break critical site functionality.

To enable the global security preference Enforce HTTPS, in Business Manager, go to Administration > Global Preferences > Security. On the Access Restrictions tab, select Enforce HTTPS and click Apply.


You must enable the global security preference Enforce HTTPS. Enabling Enforce HTTPS as a site preference doesn’t enable the necessary functionality. See Enforce HTTPS for more information about the effects of enabling Enforce HTTPS globally and per site.

We recommend that you test enabling Enforce HTTPS on a non-production instance before implementing the change on a production instance.

Test Client-Side Code

If you set cookies using custom client-side JavaScript, test to determine if your code requires adjustments to accommodate the cookie attribute changes.

Test Cross-Site Scenarios

A cross-site scenario is when a user on your site uses a browser to send or retrieve content to or from a site with a different domain name. Common cross-site scenarios affected by the SameSite cookie attribute occur when:

If you are testing using Chrome, keep in mind that cookies that are less than two minutes old, with no SameSite attribute set, default to SameSite=None for cross-site POST requests. You can turn off this feature by running Chrome from the command line with the flag --enable-features=SameSiteDefaultMethodRigorously. Refer to SameSite Updates for more information.

To test with the Firefox browser, in the about:config preferences, set both of the following preferences to true:

X Privacy Update: We use cookies to make interactions with our websites and services easy and meaningful, to better understand how they are used. By continuing to use this site you are giving us your consent to do this. Privacy Policy.