New Chrome SameSite Cookie Policy and Luminate SSO

Jeremy Isett
Jeremy Isett
Fifth Anniversary Kudos 1 Facilitator 1
in Blackbaud Luminate Online® & Blackbaud TeamRaiser® Discussions
There's a change coming to Chrome that will begin restricting cookies that aren't setting a SameSite Value: https://digiday.com/media/what-is-chrome-samesite/


It doesn't appear that the Luminate SSO cookies are setting this value. While testing in Chrome with that upcoming feature enabled I was unable to login through one of our integration sites.


Are there plans to support this new Chrome cookie policy?
Tagged:

Comments

  • Matthew Smith
    Matthew Smith
    Tenth Anniversary Name Dropper Participant Facilitator 1
    Did you make any progress on this Jeremy? I opened a ticket with support yesterday about it but haven't heard anything yet.
  • M OConnell
    M OConnell
    Tenth Anniversary Participant Facilitator 1 Loyalty Badge
    Ditto for our Team. Opened a ticket.
  • John Miller
    John Miller
    Eighth Anniversary Kudos 1 Participant Facilitator 1
    Hi everyone - sorry for the radio silence on this thread. The Luminate Online development team plans to have an update to the product to address this by the limited release date from Google (Feb 17th). We'll update here once the changes are made and with what the changes entail.


    -John Miller

    Product Manager, Luminate Online
  • Daniel Hartanto
    Daniel Hartanto
    Tenth Anniversary Participant Facilitator 1
    Hi John,


    Do you have further update with regards to this if we may know what to expect/anticipate.


    The JSESSIONID cookie at this time of writing still have no SameSite attribute and value defined and it's been affecting some of our custom workaround solution esp. those that have cross-domain aspect on it.


    Let us know and thank you in advance.


    regards,

    Daniel
  • John Miller
    John Miller
    Eighth Anniversary Kudos 1 Participant Facilitator 1
    Folks -


    This change has been rolled out as of the Chrome release on August 11. We're working on determining how we can roll out an update to the samesite attribute that won't impact all sessions that switch between the non-secure (http) and secure (https) channels. As the structure is now this change to the JSESSION cookie attribute can cause the session to be lost when traversing between channels and this will require a more significant change than simply updating the cookie. We're looking to address this as soon as we can, more to come here as we determine the options to resolve this.


    -John
  • Daniel Hartanto
    Daniel Hartanto
    Tenth Anniversary Participant Facilitator 1
    Thanks John for the update.


    I have a question about the JSESSION impact -- will this / do you foresee that it also affect external site using/calling LO API directly on their end (despite the IP whitelisting and domain whitelisting applied for that external site/domain specified within the Site Options)?


    I have seen the effect of this new SameSite policy on iframe mostly at moment where even some S-tag refused to display/render and also S-tag conditional refused to work when it comes / pertinent to logged in session. (i.e. S45 tag, or displaying S1 tag info i.e. S1:cons_id etc).


    Appreciate the clarification and help as always!


    regards,

    Daniel

Categories