Guides
These docs are for v1.0.1. Click to read the latest docs for v2.1.0.

SameSite Cookies

As you may already know, starting in Chrome 80, cookies that do not specify a SameSite attribute will begin to be treated as if they were SameSite=Lax [0],[1].

🚧

Please check https://www.chromium.org/updates/same-site for updates on the rollout schedule.

Datatrans does not use cookies for payments. However, if your payment success/cancel/error pages rely on an active user session in order to work properly, there is a possibility that the new cookie behavior in Chrome will break your payment flow.

We strongly encourage you to test your solutions (payments being only one of them) to see if they still work before Google rolls out those changes. The SameSite=Lax behavior can be enforced with todays versions of Google Chrome [3] for testing. During testing, please make sure to wait 2 minutes before redirecting back to your webshop. This is needed because Chrome in a first step treats cookies without the SameSite attribute as SameSite=Lax only after 2 minutes. [1]

📘

Setting the ShortLaxAllowUnsafeThreshold

If during testing you don't always want to wait for two minutes, the following Chrome command line flag can be used to lower the timeout from 2 minutes to 10 seconds:
--enable-features=ShortLaxAllowUnsafeThreshold

This flag is available in Chrome 79.0.3945.16 and newer. [5]

If your web shop solution does not work anymore after enabling SameSite=Lax [3], please adjust your solution by applying the recommended changes described by Google [4].

More information and how other browsers will handle this topic can be found here:
https://auth0.com/blog/browser-behavior-changes-what-developers-need-to-know/

[0] https://blog.chromium.org/2019/10/developers-get-ready-for-new.html
[1] https://www.chromestatus.com/feature/5088147346030592
[2] https://www.chromestatus.com/features/schedule
[3] Set chrome://flags/#same-site-by-default-cookies and chrome://flags/#cookies-without-same-site-must-be-secure to enabled
[4] https://web.dev/samesite-cookie-recipes/#handling-incompatible-clients
[5] https://www.chromium.org/updates/same-site

Updated over 4 years ago