"Samesite" attribute / Moneris hostped page solution

Just posting a note form our developer on our interface that we use with the Moneris Hosted page interface.  Any comments or thought on this would be appreciated but thought I would share our findings.  

It appears that Chrome (at least) has changed its policy for handling cookies with "3rd party" sites. Cookies have a "SameSite" attribute. Depending on how that is set and how the Secure attribute is set determine where the cookie can go. Here's some browse console output that got me going in this direction. (Note: the domain test.test.com is used below, but that is my internal hosting of the site and not your actual test.test.com.)

A cookie associated with a cross-site resource at http://test.test.com/ was set without the `SameSite` attribute. It has been blocked, as Chrome now only delivers cookies with cross-site requests if they are set with `SameSite=None` and `Secure`. You can review cookies in developer tools under Application>Storage>Cookies and see more details at https://www.chromestatus.com/feature/5088147346030592 and https://www.chromestatus.com/feature/5633521622188032.

I was able to make some changes, still ran into a problem with the session cookie. The session cookie is still not being allowed because it is not marked as secure. When there is no session cookie that means the session has "timed out". By default, security is set to log out when session times out. Therefore, the payment success is still being sent to the login page. I disabled the logout when session times out logic and, as you can see below, the payment success page displays correctly.

  • Chromes was updated earlier in march and some people may start experiencing this issue. Chrome is realeasing it as a canary update... so it is not every Chrome user who will have the issue. Source : www.chromium.org/.../same-site

    It is possible to force that update. Go to chrome://flags/ and enable "SameSite by default cookies".
  • Experiencing the same problem in ASP.NET sites. The following web.config change seemed to resolve the problem for me (sharing Session/Cookie with a 3rd party website).


    <system.web>
    <!-- Enable sharing session cookie with 3rd party sites, such as Moneris HPP -->
    <httpCookies sameSite="None" requireSSL="true" />

    <!-- add "cookieSameSite=None" to the session state provider -->
    <sessionState cookieSameSite="None" />
    </system.web>

     

    Since this will likely affect many Moneris HPP sites, please share any alternate approach to resolving this problem.