How does the Chrome SameSite Cookie policy affect my Magento integration?

We've found an increase in issues which resulted in merchants experiencing higher levels of incomplete 3DS orders. After further investigation, we have found out that the cause of the 3DS drop-offs originated from the updated Chrome SameSite Cookie policy that began to be enforced by Google, initially rolling out to a limited initial population end of July which gradually increased until it reached 100% on the 11th of August. 

About Chrome's SameSite Cookie Policy

For users running Chrome 80 and higher, Chrome is enforcing a secure-by-default cookie classification system, treating cookies that have no declared SameSite value as SameSite=Lax cookies. Only cookies set as SameSite=None; Secure will be available in third-party contexts, provided they are being accessed from secure connections. Do note that the SameSite field is not yet widely supported in older browsers, as well as Safari and Firefox.

The fix

After we noticed our merchants were experiencing issues, we immediately flagged it with Magento in their GitHub issue.  Magento made us aware they expect some changes from Adyen’s side, which our developers have released. Magento is also going to provide the possibility for developers to configure the SameSite Cookie type for each cookie variable. This possibility will be added in a future release of theirs. 

In our new release (6.6.5.) we have resolved the Chrome Cookie Policy, so that no changes are needed from our merchants. In the new versions we introduced a new controller which receives the POST request from the Issuer page after the 3DS1 authentication. Since the session cookie is not available here (as the POST request was coming from an external URL) instead of processing the data, we POST it towards the original Process/redirect controller. This controller is now able to reach the cookie because the request is coming from the same url.

If you want to test your solution fully but are unable to see the warnings, you have to enable the experimental flags, which can be found on chrome://flags, and set all the functions named "SameSite" to "Enabled".

We highly recommend you to upgrade your Magento 2 version to the released 6.6.5. in order to resolve the SameSite Cookie issue. 

In order to resolve this issue, we had to drop the support for Magento 2.2.8. (and lower). Magento made important security fixes after 2.2.9. If you are using one of these versions, please follow:

How can we solve the Chrome Cookie policy issues for Magento 2 platform version 2.2.8 and lower?

 

 

 

Was this article helpful?
5 out of 10 found this helpful