Warning: Google Chrome 80 may cause problems with online payments
If you have a website that allows you to receive payments online and this has sometimes failed to work properly for your users over the last few weeks, it could be due to a recent change in Google Chrome, more specifically when passing the SameSite cookie in Google Chrome 80. This change sometimes causes problems with online payments, and we experienced this as well.
Google has put the change on hold for the time being, but we recommend that you prepare for this change now. 6 so that you do not have to do any research.
Problems with online payments
This well-intentioned change, however, also had unwanted consequences, as we at Combell have noticed. Because, under certain circumstances, the cookie is not sent to the payment module used by a website, resulting in the impossibility to process the payment. As a result, some orders placed by our customers via a Chrome 80 browser did not go through, because they were not confirmed by the payment module. If you have not received a confirmation e-mail from us regarding your order, please contact us immediately.
As soon as we became aware of this problem, we rolled out an internal fix. Meanwhile, Google has also announced that it will roll back this change, in order to avoid further complications in the midst of the COVID-19 crisis. But all signs suggest that this SameSite change will be implemented at a later date – Google plans to resume the process this summer. It is therefore crucial that you know what the problem actually is and how you can solve it. We are happy to share our findings with you.
Google has put the change on hold for the time being, but we recommend that you prepare for this change now.
SameSite cookie in Google Chrome 80: the technical explanation
A cookie has a SameSite attribute, which allows you to specify when certain cookies may be sent along with a request to a next page – for example, from your website to the payment module provided by your payment service provider. Until recently, you were not required to specify its value, and the browser simply ignored this attribute.
From Chrome 80 onwards, however, this value is actually used. And if the cookie does not specify this attribute, or if the attribute is left blank, then "Lax" is used. This means that the cookie is only sent when navigating within the same domain. If the request comes from another domain, such as that of your payment service provider, the cookie will not be passed, causing unexpected behaviour.
The simplest solution is to use a SameSite attribute on the cookie, with a value set to "None", although this only works if the request involves a secure HTTPS connection. Please note that old browsers do not support the new "None" value, which means that cookies can be ignored in this case. For a clear overview, please visit this page: https://caniuse.com/#search=samesite.
More information can be found here:
- Information about the SameSite attribute
- Google Chrome updates
- SameSite in Firefox
- SameSite in Edge
- Unofficial cookie fix in Magento 2.2/2.3
- Magento Github issue
If you have any questions, our specialists will be pleased to provide you with further technical information. As usual, our collaborators are available to give you all the advice you need.