Managing Cross Site cookies for upcoming Chromium changes

As per Google have announced that as from February Chrome will treat cookies that have no declared SameSite value as SameSite=Lax cookies.

To manage cross-site cookies, you will need to apply the SameSite=None; Secure setting to those cookies and also cater for clients that are incompatible with SameSite=None.

My testing in Chrome when enabling SameSite by default has proved that our integration with an OpenID provider breaks since the OpenId provider can't retrieve the cookies it requires to complete authentication.

Has anybody else had to consider the SameSite changes? Are there any strategies with how to handle these changes? Has OutSystems considered the impact of these changes? Is there a mechanism in OutSystems that allows the SameSite property of cookies to be configured?



Just as an FYI, I'm looking into this, though I don't have anything to share yet.

You should, however, be able to check the console in newer versions of Chrome (or Chromium) and see if there are warnings, since this is an upcoming change.

I'll follow-up with any additional information I can find.


Thanks to James Harrison (OutSystems Australia) who has pointed out to me that cookies with properties can be explicitly created using the HTTPRequestHandler AddHeader extension.

My initial testing is positive, but would still need to consider UserAgent values as not all browsers handle SameSite properties the same way.


Great! Glad to hear James was able to help!

Just to complete the information on this thread, OutSystems have recently released changes to explicitly handle the changes in cookie handling.