We’ve developed some resources to help you work effectively from home during COVID-19 Click to learn more

How does Chrome blocking third party cookies affect us?

Hi, we've built a few apps for the appstore that appears as webpanels in SuperOffice. They use cookies, both for the SuperOffice Online authentication and for our apps site.

In Chrome there is going to be stricter usage of third party cookies (https://www.bleepingcomputer.com/news/google/google-chrome-starts-testing-third-party-cookie-blocking/), and I believe we've had one or two supportcases for this allready where the user hasn't been able to use our app in Chrome.

A lot of water has gone under the bridge since we wrote these first apps for the appstore, and perhaps there is a better way of doing things than we did at the time.

Are any of you other appstore-developers seeing issues with third party cookies? Or have you got a different design, making this a non-issue?

RE: How does Chrome blocking third party cookies affect us?

Hi Frode,

All good things in the name of Security! While I don't know of a quick work around, I do see others have to post instructions for customers like other online vendors.

Best regards.

Av: Tony Yates 7. okt 2019

RE: How does Chrome blocking third party cookies affect us?

I see that Firefox v69 already has started blocking third-party cookies. I know this is not Chrome, but I have used this version to do some tests with our application that is running inside an SuperOffice iframe and require cookies.

Firefox has three settings for Content Blocking: Standard, Strict and Custom. In both Standard and Strict, third-party tracking cookies are blocked. Our application worked without any issues using both Standard and Strict settings and it was only when I used Custom setting in combination with "Block All Third Party" cookies flag, our application did not work at all.

Firefox has further made it relative easy for the user to add an exception for any blocked content. Two mouse clicks and SuperOffice Web was one the exception list and our application worked again.

Hopefully Google will do something similar with Chrome.

Av: Arild Eik 7. okt 2019

RE: How does Chrome blocking third party cookies affect us?

Hi again, the date for Chrome by default blocking third-party cookies is approaching quickly. It's scheduled to appear in Chrome 80 which is going to release february 4th.

I enabled the feature in my Chrome 79, and stuff breaks all over the place. We have webpanels in SuperOffice from multiple appstore vendors, and all of them broke. Our own included. We're in the process of fixing our apps, and I suggest all other vendors check up on their apps as well.

Arild mentioned it's possible to whitelist a domain in each customers browser, but that, in my opinion, should only be used as a short-term fix. It's better to fix the issue at the root.

For our apps I've gotten it fixed locally, but struggeling with Azure not supporting .NET v4.8 yet. Interrested in hearing others experiences on fixing the SameSite issue.

Av: Frode Lillerud 17. jan 2020

RE: How does Chrome blocking third party cookies affect us?

To my knowledge this should be solvable with .Net 4.7.2, but the problem is that Microsoft have not been pushing out the 4.7.2 patch in Azure:

https://devblogs.microsoft.com/aspnet/upcoming-samesite-cookie-changes-in-asp-net-and-asp-net-core/

Barry Dorrans: January 14: "I cannot speak to Azure web apps’ timeline. But not, they haven’t rolled it out yet, I don’t know when that will be."

I have seen other comments stating that the 4.7.2 patching in Azure will start January 31, but I'm not sure if this is correct.

Av: Arild Eik 17. jan 2020

RE: How does Chrome blocking third party cookies affect us?

Yes, we experience the same issues and are working on a solution too.

Regarding .NET version:
If you are using ASP.NET Core you can just update the Nuget packages, it's not related to .NET version:
https://github.com/aspnet/Announcements/issues/390#issuecomment-575385338

Av: Matthijs Wagemakers 17. jan 2020

RE: How does Chrome blocking third party cookies affect us?

Arild, that's the info I've found as well. Guess Azure guys have no choice than to get .NET 4.7.2/4.8 working in Azure App Services soon. Hopefully...

Matthijs, our older apps are using .NET 4.x, while the next one we're working on is .NET Core 3.1 + SuperOffice WebApi.

Av: Frode Lillerud 17. jan 2020

RE: How does Chrome blocking third party cookies affect us?

I'm "sadly" using .Net Framework and not core.

I'm not sure if you experience the same... My problem is that when I activate the “block 3rd party cookies” in Chrome v79, the session variables I set before redirecting the request to SuperOffice for authentication (https://sod.superoffice.com/login/common/oauth/authorize....) are “lost” (HttpContext.Session["mysessionname"] is null) when the response from SuperOffice is handled in my SoCallback controller.

Since I’m in Azure I’m using SQL Server as session server and I have even tried to specify (in web.config) the use of cookieSameSite=”None” here as well – but it makes no difference:

<sessionState cookieSameSite="None" allowCustomSqlDatabase="true" cookieless="UseCookies" mode="SQLServer" sqlConnectionString="…….." timeout="30" />

I have verified that the session is stored in the database, so I assume the problem is retrieving the session again. All I know is that it's driving me crazy….

Any tips very appreciated...

Av: Arild Eik 17. jan 2020

RE: How does Chrome blocking third party cookies affect us?

Hi Arild, the <sessionState cookieSameSite="None" /> should solve the issue, but only for new cookies, probably first the existing ones must be removed. You can verify in the chrome dev tab if the session is set as 'Lax' or 'None'.

Av: Carlo Pompen 17. jan 2020

RE: How does Chrome blocking third party cookies affect us?

Thank you, Carlo.


I was also under the impression that the cookieSameSite="None" should solve the problem. I have verified that the cookies (both in Chrome and by breakpoints in Visual Studio) that the SameSite on the ASP Net session cookie is set to None. I have further cleared the database for all sessions as well as all cookies in the browser (+ a restart of Chrome). Nothing helps.

Av: Arild Eik 17. jan 2020

RE: How does Chrome blocking third party cookies affect us?

Arild, did you look at the cookies sent to the browser as well? Not just what the server is "supposed" to send.

This is GOOD:

 

This is BAD:

Av: Frode Lillerud 17. jan 2020