Chrome Browser SameSite Issue

Summary

Starting with version 80, Google is pushing a change in their Chrome browser around February 4, 2020 to how cookies security is handled.  This will cause some services to break completely or partially when attempting to access through SSO or other means.  Depending on how they push this change to users, the effects may be very sporadic and not readily attributable to their change (i.e. affecting some users, but not others).

A very good technical explanation of what is occurring and the potential effects is at this Same-Site Cookies by Default blog article. 

What is the potential impact to users?

Typically, it will be broken web pages or outright failures to sign-in to services.  In some cases, initial sign-in may work but other parts of the service may fail.

Example #1 - University Library’s Catalog and Management System (Alma/Primo)

University Library's Catalog and Management System broken example

Example #2 - Software Depot (Free Software)

Software Depot's broken example

What do I need to do?

  1. Test your services (see below) to be aware of potential impact to your users.
  2. Mitigate issues by doing one or more of the following after testing:
    • Open a support ticket with your vendor/service and have them fix their cookies.
    • Switch to an alternate browser for use with affected services.  Currently Firefox is keeping the setting off but waiting to see the results of Chrome pushing this change before deciding if and when to turn it on.  Other options may be Internet Explorer/Edge or Safari on Apple devices.
    • Turn the new setting off in Chrome (see below for how to do this).

Why can’t Division of IT fix this globally?

Individual services need to modify how they set cookies to truly fix the issue.  Any work-around we implement at the global level has potential serious side-effects.  For example, a bug in how Apple Webkit implemented cookies in the past means a global change on our SSO side may help mitigate PC users with the Chrome browser but will likely break any browser used on all but the most recent Apple iOS device.

How do I test?

Although the change is being pushed by Google with their Chrome browser, there are quirks to how they are implementing it that makes testing with that browser very difficult.  It is actually much better to use the latest consumer version of Firefox and turn the setting on manually to do testing.  Note that the ESR version of Firefox installed on many campus computers cannot be used to do this testing.

  1. Install the latest version of the consumer Firefox browser, if not already installed.  This testing was done with version 72.0.2.
  2. In Firefox, type about:config as the URL and accept the warning to proceed with caution. the about:config window for making setting changes to Firefox
  3. Search samesite will show you two options.  Turn them both to true by using the activation button.Search samesite to see options for turning on the feature in Firefox
  4. Close that window (settings take effect immediately) or open a new tab and proceed to test your service by logging in normally and observing the results. 
  5. If you have more than one service to test, you must completely close the browser and ensure your cookies and cache are cleared before attempting to test the new service.  It is best to use Firefox’s Private Window feature.

My services are broken with Chrome and I want to make Chrome work like before.

If you don’t want to use an alternate browser, you can attempt to turn off the new setting pushed by Google by doing the following procedure:

  1. In the Chrome URL bar, type chrome://flags and search for SameSite How to turn off SameSite cookies security in Chrome version 80+
  2. Set SameSite by default cookies and Cookies without SameSite must be secure to Disabled and then click the Relaunch button to make the setting take effect. 
  3. Test your service again.

Details

Article ID: 97179
Created
Fri 1/31/20 3:05 PM
Modified
Fri 1/31/20 4:11 PM