How does the Chrome SameSite Cookie policy affect my Magento integration?

The Chrome SameSite Cookie policy was released on the 4th of February 2020 with the launch of Chrome v80 by Google. In light of COVID-19 these changes were temporarily rolled back in April, see their full press release. Since the 14th of July the global roll-out of the Chrome SameSite Cookie policy is being resumed.

After the first release, we have found an increase in issues for our Magento merchants related to 3DS payments. They were experiencing unusually high levels of incomplete 3DS orders. After investigating and running several tests, the issues resulting from the Chrome Cookie Policy is unfortunately not something that can be resolved from Adyens’ side. Adyen only uses tracking cookies, and a session cookie called JSESSIONID

About Chrome's SameSite Cookie Policy

For users running Chrome v80 and higher, Chrome is enforcing a secure-by-default cookie classification system, treating cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies set as SameSite=None;Secure will be available in third-party contexts, provided they are being accessed from secure connections. Do note that the SameSite field is not yet widely supported in older browsers, as well as Safari and Firefox. Rowan Merewood - Developer Advocate for Chrome at Google, has provided a more comprehensive explanation of this policy.

When will it be fixed by Magento?

The issue has been flagged with Magento already through a GitHub issue. We have been in touch with Magento, and they have no clear timelines yet as to when they have a release with a fix. Magento asked us to comment on the GitHub issue, to raise awareness within their organisation and prioritize accordingly. Therefore, if you are experiencing issues, please use the text below (or your own if you like), and comment in the GitHub issue. 

Same site cookie policy issue in Magento2 Since the SameSite Cookie Changes redirect payment method flows can break when the issuer is redirecting back to the Magento site with a POST request. When Magento processes the POST request it starts with loading the cart from the session. In order to do so it reaches to the SESSION cookie. Unfortunately the SESSION cookie is not set as `SameSite=None; Secure` therefore the browser is going to decline using the cookie so the process fails and Magento redirects back to the empty cart page. Since the redirect is not handled by Magento the payment is not finalised and the order stays as new.

To solve this issue the SESSION cookie should be set as `SameSite=None; Secure` so POST requests from outside of the Magento website domain can also be processed.

How to fix (or prepare) for it?

Unfortunately, Adyen cannot fix the issues for our Magento merchants. However, in the comments of the GitHub issue a temporary fix is mentioned by Veriteworks. We cannot help our merchants with this fix, so if you have questions about it, please reach out to Veriteworks through the temporary fix GitHub Repository.

If you prefer to build your own temporary fix for this, there is a comprehensive link with sequence diagrams for you to use. Note that your cookies have to be set with the correct fields so that the warnings/errors do not appear. If you are looking for guides on how to modify your cookies based on your current stack, examples have been provided on how to properly configure the cookies based on the stack that you are working with.

If you want to test your solution fully but are unable to see the warnings, you have to enable the experimental flags, which can be found on chrome://flags, and set all the functions named "SameSite" to "Enabled".

Unfortunately, Adyen cannot help you with this fix. If you have questions in regards to any of these above mentioned links, please reach out to the GitHub owner, or raise an issue on GitHub.

 We hope that Magento can prioritize this issue as soon as possible.

Was this article helpful?
3 out of 6 found this helpful