Upcoming changes in Cookie handling

As you are perhaps aware of future browser versions will be more restrictive in the handling of cookie access from different domains. We want to raise awareness here because chances are high that you or one of your customers is also affected.

For testing if you are affected you can set the Chrome flags chrome://flags/#same-site-by-default-cookies and chrome://flags/#cookies-without-same-site-must-be-secure both to “Enabled” (which is the future default value of these flags) and then test your use cases. Possible effects are that login processes fail or produce endless redirect loops, and that embedded content could not be fetched. On the browser development console you will see warning logs starting with “A cookie associated with a cross-site resource … was set without the `SameSite` attribute. It has been blocked”:

For further information see  e.g. this post for the timline and current state for the Chrome Browser. This article also includes some useful links for developers and mitigation strategies concerning the new behaviour. Most web servers have means to configure the default value for the `SameSite` attribute of cookies. For Apache e.g. see the cookie processor settings.

The FirstSpirit session cookie supports the attribute SameSite scince May 2020. Please consult the release notes for more details.

Please post your comments and questions here, we will monitor this thread and will also post updates here.