Skip to main content

SameSite cookie configuration changes

· 3 min read
Andy Green

As of version 80, Google Chrome has changed how it handles cookies without a SameSite flag in the cookie header. Previously the behaviour was to allow cookies on all domains when SameSite was not set. The new behaviour is to only process the cookie when SameSite=None and the Secure flag is set.

This will cause an issue anywhere a session (or other) cookie is loaded in a browser window where the domain in the address bar does not match the source of the cookie. The main example of this within the Jadu platform is where an XFP form is embedded onto another website. The form relies on the session cookie, but this originates from the domain of the embedded form (e.g. mainxfpsite.com) and not the site the form is being displayed on (e.g. galaxysite.com). XFP detects this and displays a “technical error” message.

Further information is available in the Chromium blog

Instructions for rollout on Linux systems

  1. Create a new file in <install_path>/config/apache/custom.d/same-site-cookie.conf (path may differ depending on installation location - e.g. /etc/httpd/conf/)

  2. Content of the file should be:

<ifmodule mod_headers.c>
Header always edit Set-Cookie ^(.*)$ "$1; HttpOnly;SameSite=None; Secure"
</ifmodule>
  1. Restart apache

This will change the main site to always set the SameSite=None and Secure flags on all cookies.

The change cannot reliably be applied only to XFP embedded forms as:

  1. In Photon implementations, all requests are handled by the same app.php file and so the embedded forms URL cannot be distinguished at the Apache level
  2. The cookie may be initially set on another page - we would need to confirm the behaviour of the browser if a page then attempts to set a different SameSite value on an existing cookie

Instruction for rollout on Windows systems

  1. Edit the public_html/Web.config to include:
        <rewrite>
<outboundRules>
<rule name="Add Samesite cookies" >
<match serverVariable="RESPONSE_Set-Cookie" pattern="^(.*)(PHPSESSID)(=.*)$" />
<action type="Rewrite" value="{R:0}; SameSite=None" />
</rule>
</outboundRules>
</rewrite>
  1. Restart IIS

This will change the main site to always set the SameSite=None. This will not affect the cookies set by Galaxies sites.

FAQs

FAQ: I’ve refreshed the page, but I’m still experiencing the problem :(

If you visited the page before the change was applied, you may already have a session cookie set. You will need to clear this cookie before the change will take effect. Instructions on how to do this for Google Chrome are available here - https://www.allaboutcookies.org/manage-cookies/google-chrome.html. Other browsers will require cookies are managed using their respective settings pages.

FAQ: “Use my current location” does not work on a with Google Map control of an embedded form

Enabling 'Force_Secure' in constants should resolve this.

FAQ: I can see an error in my console:

A cookie associated with a cross-site resource at http://www.google.com/ was set without the SameSite attribute. A future release of Chrome will only deliver cookies with cross-site requests if they are set with SameSite=None and Secure. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

This message relates to Google functionality, not Jadu XFP or CMS.