Salesforce

Setting SameSite Cookies

« Go Back
Information
Setting SameSite Cookies
UUID-c98fe705-b09a-0cf6-9bbf-a1f060e381fd
Article Content

Web browsers (including Chrome, Firefox, and Edge) are changing their behavior to enforce privacy-preserving defaults. There is a cookie attribute name SameSite, which allows developers to explicitly declare the intent of a cookie’s scope. It is not widely used. To enforce stricter coding practices and preserve a user's privacy, these browsers will be changing the default behavior of these to be SameSite=LAX.

What is the SameSite Attribute?

The three settings for the SameSite attribute are:

  1. SameSite=Strict

    The SameSite=Strict value will only allow first party cookies to be sent. This setting is good for user actions like login credentials, but the cookie will not be sent on the initial request to the webpage.

    Important

    OneTrust cookies do not support this setting.

  2. SameSite=Lax

    The SameSite=Lax setting will allow the user to maintain a logged in status while arriving from an external link. This works well for things like transferring a promotional code as it is sent in these top-level navigations.

  3. SameSite=None

    This is used to communicate that this cookie is intentionally shared in a third-party context. Developers must now opt-in to allowing third party scripts on their sites. When SameSite=None, an additional attribute Secure must be included.

For further reading, see SameSite Cookies Explained and OneTrust Cookies.

Effect on OneTrust Cookies

The first-party cookies by default will be treated as SameSite=Lax. Additionally, OneTrust has updated the first-party cookies to add this attribute. No action is required for these changes to occur..

Cookies Affected:

  • OptanonConsent

  • OptanonAlertBoxClosed

  • eupubconsent-v2

The third-party euconsent-v2 cookie has been updated to SameSite=None and Secure as this cookie should be used in the third-party context to relay a user’s consent to other Universal Consent & Preference Management Providers. Failing to update this cookie will result in your cookies being rejected by the browser. If you are using this cookie, you must republish the script for this change to occur.

To ensure that the changes have been made, inspect your euconsent-v2 cookie and ensure that SameSite=None; Secure after republishing the script.

Configuring the SameSite Attribute

To set SameSite cookies to None, you can enable the Enable SameSite = None setting when publishing your scripts. For more information, see Publishing and Implementing Cookie Consent Scripts.

 
Article Visibility
28,979
Translation
English
Checked

Powered by