Chrome 80 Cookie Changes

Khoros Oracle

On 4 February, Google is rolling out a new security update that will change how 3rd party cookies are handled in the Chrome browser.  Other browsers are more than likely to also follow suit.

You can find more information about this at the following resources:


What does this mean for Khoros customers?

We are currently evaluating and testing any scenarios that could typically be affected by this change, particularly around SSO/authentication.  If you are a Khoros Community customer and have any questions or concerns, we have created a thread for conversations to take place here.  We’ll continue to post our findings on this blog so please subscribe to this post to stay updated.

If you wish to carry out testing yourself, you can follow the instructions below (taken from SameSite Updates)

To test whether your sites may be affected by the SameSite changes:


  1. Go to chrome://flags and enable #same-site-by-default-cookies and #cookies-without-same-site-must-be-secure. Restart the browser for the changes to take effect.
  2. Test your sites, with a focus on anything involving federated login flows, multiple domains, or cross-site embedded content. Note that, because of the 2 minute time threshold for the "Lax+POST" intervention, for any flows involving POST requests, you may want to test with and without a long (> 2 minute) delay.
  3. If your site stops working:
    • Try turning off #cookies-without-same-site-must-be-secure. If this fixes the issue, you need to set `Secure` on any `SameSite=None` cookies your site may be relying upon. (This may require upgrading HTTP sites to HTTPS.)
    • Try turning off both flags. If this fixes the issue, you need to identify the cookies being accessed in a cross-site context and apply the attributes `SameSite=None` and `Secure` to them. See "SameSite cookies explained" for more information. If you are not the developer of the site, please reach out to the developer and/or vendor who authored the site.
    • For flows involving POST requests, if a short delay (< 2 minutes) works but a long delay (> 2 minutes) does not work, you will also need to add `SameSite=None` and `Secure` to the relevant cookies if the operation in question may take longer than 2 minutes. Note that the 2-minute window for "Lax+POST" is a temporary intervention and will be removed at some point in the future (some time after the Stable launch of Chrome 80), at which point cookies involved in these flows will require `SameSite=None` and `Secure` even if under 2 minutes.


Following the Chrome update, if you do encounter any unexpected behaviour please file a ticket as per the standard Support process.


Update: 4 February 2020

Salesforce have identified that some custom integrations may stop working as a result of the Chrome 80 changes.  This affects instances where our Salesforce connector is being used on the classic version of Salesforce.  We are dependent on a fix being provided by Salesforce, currently due to be deployed on 15 February.  Further details can be found on their help page.  Customers experiencing problems are advised to switch to a different browser as a workaround.