Document Properties
Kbid2S9383
Last Modified22-Apr-2020
Added to KB22-Apr-2020
Public AccessEveryone
StatusOnline
Doc TypeSupport Articles
Product
  • ICM 7.6
  • ICM 7.7
  • ICM 7.8
  • ICM 7.9
  • ICM 7.10

Support Article - Google Chrome SameSite Cookie Attribute

1 Introduction

Starting with Google Chrome 80 no 3rd party cookie is sent to another page when there is no SameSite flag at the cookie. Usually, this is no issue for Intershop 7, but there are two special cases influenced by the Chrome policy: Punchout and some payment methods.

1.1 References

2 Punchout

Intershop 7 has an OCI Punchout feature in the B2B storefront. When changing to the external system, an HTML frame and the SID cookie is used to track the Intershop session.

This is usually working well. However, with the new Chrome 80 change, cookies such as the SID cookie are not transferred to the external site. This means that the Intershop session is lost and Punchout does no longer work.

In order to transfer the SID cookie to the external system, a SameSite=None attribute must be added. Additionally, the same cookie must be set to Secure.

It is easily possible to set the cookie attributes in the global webadapter.properties (in $IS_Share/system/config/cluster). The property session.SIDCookie must be adapted, example:

session.SIDCookie=Set-Cookie: sid=%v; Path=/; Version=1; HttpOnly; SameSite=None; Secure

A restart is not necessary, Punchout within a frame now works as before Chrome 80.

3 Payment Providers

The same behavior occurs along with some payment providers when using Redirect before/after Checkout. Usually, it is enough to do the same configuration change as above, setting the SameSite attribute and the Secure flag:

session.SIDCookie=Set-Cookie: sid=%v; Path=/; Version=1; HttpOnly; SameSite=None; Secure

It might be possible that different payment providers need to set additional cookies with the SameSite attribute. In this case Apaches mod_rewrite can be used, example:

Header edit Set-Cookie ^(SecureSessionID.*)$ $1;SameSite=None;Secure

In this example the SecureSessionID cookie is also set accordingly.
Later Intershop versions will be able to set the cookie attributes for other cookies individually as well.

4 Remarks

4.1 Secured Connection

As already mentioned, in addition to the SameSite attribute, the Secure flag must also be set for the SID. This results in a major implication: The SID cookie is only transferred from the browser back to the Intershop application if the connection is secured via https.
If this is not the case, the session and all session related information like login state or basket are lost. This means that when using Punchout or some payment providers, the entire store must be secured via https.

4.2 The Storefront in a Frame

When using PunchOut and the Intershop storefront is shown in a frame, the default cookie test might fail and a message like the following might be displayed:
It appears that your browser has cookies disabled.


In this case the test cookie must be set also to SameSite=None; Secure in the template:
a_responsive/app_sf_responsive/staticfiles/cartridge/templates/default/inc/CookiesDisabledOverlay.isml

Therefore change the following line:

document.cookie = name + '=;';

to:

if(location.protocol == 'https:') {
  document.cookie = name + '=; Secure; SameSite=None;';
} else {
  document.cookie = name + '=;';
}

Disclaimer

The information provided in the Knowledge Base may not be applicable to all systems and situations. Intershop Communications will not be liable to any party for any direct or indirect damages resulting from the use of the Customer Support section of the Intershop Corporate Web site, including, without limitation, any lost profits, business interruption, loss of programs or other data on your information handling system.

Customer Support
Knowledge Base
Product Resources
Support Tickets