How does the Chrome SameSite Cookie policy affect my Magento integration?

We've found an increase in issues which resulted in merchants experiencing higher levels of incomplete 3DS orders. After further investigation, we have found out that the cause of the 3DS drop-offs originated from the updated Chrome SameSite Cookie policy that began to be enforced by Google, initially rolling out to a limited initial population end of July which gradually increased until it reached 100% on the 11th of August. 

About Chrome's SameSite Cookie Policy

For users running Chrome 80 and higher, Chrome is enforcing a secure-by-default cookie classification system, treating cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies set as SameSite=None; Secure will be available in third-party contexts, provided they are being accessed from secure connections. Do note that the SameSite field is not yet widely supported in older browsers, as well as Safari and Firefox.

The fix

After we noticed our merchants were experiencing issues, we immediately flagged it with Magento in their GitHub issue. A few weeks ago Magento made us aware they expect some changes from Adyen’s side, which our developers have now released. Magento is also going to provide the possibility for developers to configure the SameSite Cookie type for each cookie variable. This possibility will be added in a future release of theirs. 

In our new release (6.5.0) we pass the extra redirect parameters redirectFromIssuerMethod, redirectToIssuerMethod and returnUrl to the /payments request so that Adyen returns the response via GET and not POST, avoiding the SameSite check.

If you want to test your solution fully but are unable to see the warnings, you have to enable the experimental flags, which can be found on chrome://flags, and set all the functions named "SameSite" to "Enabled".

We highly recommend you to upgrade your Magento 2 version to the released 6.5.0. in order to resolve the SameSite Cookie issue. If you cannot upgrade to this release (which we do recommend), you can implement the following commit of the patch.




Was this article helpful?
5 out of 10 found this helpful