Support Article - Google Chrome SameSite Cookie Attribute

Table of Contents


Product Version

7.6

Product To Version


Status

1 Introduction

Starting with Google Chrome 80 no 3rd party cookie is sent to another page when there is no SameSite flag at the cookie. Usually, this is no issue for Intershop 7, but there are two special cases influenced by the Chrome policy: Punchout and some payment methods.

1.1 References

2 Punchout

Intershop 7 has an OCI Punchout feature in the B2B storefront. When changing to the external system, an HTML frame and the SID cookie is used to track the Intershop session.

This is usually working well. However, with the new Chrome 80 change, cookies such as the SID cookie are not transferred to the external site. This means that the Intershop session is lost and Punchout does no longer work.

In order to transfer the SID cookie to the external system, a SameSite=None attribute must be added. Additionally, the same cookie must be set to Secure.

It is easily possible to set the cookie attributes in the global webadapter.properties (in $IS_Share/system/config/cluster). The property session.SIDCookie must be adapted, example:

session.SIDCookie=Set-Cookie: sid=%v; Path=/; Version=1; HttpOnly; SameSite=None; Secure

A restart is not necessary, Punchout within a frame now works as before Chrome 80.

Please note the remarks below.

3 Payment Providers

The same behavior occurs along with some payment providers when using Redirect before/after Checkout. Usually, it is enough to do the same configuration change as above, setting the SameSite attribute and the Secure flag:

session.SIDCookie=Set-Cookie: sid=%v; Path=/; Version=1; HttpOnly; SameSite=None; Secure

It might be possible that different payment providers need to set additional cookies with the SameSite attribute. In this case Apaches mod_header can be used, example:

Header edit Set-Cookie ^(SecureSessionID.*)$ $1;SameSite=None;Secure

In this example the SecureSessionID cookie is also set accordingly.
Later Intershop versions will be able to set the cookie attributes for other cookies individually as well.

Please note the remarks below.

4 Remarks

4.1 Secured Connection

As already mentioned, in addition to the SameSite attribute, the Secure flag must also be set for the SID. This results in a major implication: The SID cookie is only transferred from the browser back to the Intershop application if the connection is secured via https.
If this is not the case, the session and all session related information like login state or basket are lost. This means that when using Punchout or some payment providers, the entire store must be secured via https.

4.2 The Storefront in a Frame

When using PunchOut and the Intershop storefront is shown in a frame, the default cookie test might fail and a message like the following might be displayed:
It appears that your browser has cookies disabled.


In this case the test cookie must be set also to SameSite=None; Secure in the template:
a_responsive/app_sf_responsive/staticfiles/cartridge/templates/default/inc/CookiesDisabledOverlay.isml

Therefore change the following line:

document.cookie = name + '=;';

to:

if(location.protocol == 'https:')
{
 document.cookie = name + '=; Secure; SameSite=None;';
}
else
{
 document.cookie = name + '=;';
}

4.3 Incompatibilities

There are browsers that don't handle the SameSite attribute correctly. Especially Safari on iOS 12 or Mac OS 10.14 treat SameSite=none as SameSite=strict, which has the opposite meaning. So, setting SameSite=none results in a working Punchout resp. Payment process for all browsers except those Safari versions. More information
https://itnext.io/user-agent-sniffing-only-way-to-deal-with-upcoming-samesite-cookie-changes-6f79a18e541

The solution would be not to set SameSite=none for those Safari versions. Here is an example for Apache configuration, that sets the SameSite=none only for the not affected versions:

<If "%{HTTP_USER_AGENT} !~ /(iPhone; CPU iPhone OS 1[0-3]|iPad; CPU OS 1[0-3]|iPod touch; CPU iPhone OS 1[0-3]|Macintosh; Intel Mac OS X.*Version\x2F1[0-3].*Safari|Macintosh;.*Mac OS X 10_14.* AppleWebKit.*Version\x2F1[0-3].*Safari)/i">
Header edit Set-Cookie ^(.*)$ $1;SameSite=None;Secure
</If>

More information about compatibilities can be found here:

https://developer.mozilla.org/en-US/docs/Web/HTTP/Headers/Set-Cookie/SameSite#browser_compatibility

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

Customer Support
Knowledge Base
Product Resources
Tickets